chore: copy

style: show lock icon for encrypted profiles
refactor: add cleanup for expired subscriptions
2026-06-26 16:39:58 +02:00 · 2026-03-02 23:35:04 +04:00 · 2026-03-02 19:12:11 +04:00 · 2026-03-02 18:49:47 +04:00 · 2026-03-02 16:24:10 +04:00 · 2026-03-02 15:49:26 +04:00
134 changed files with 22829 additions and 5628 deletions
@@ -27,7 +27,7 @@ Hi there! To expedite issue processing please search open and closed issues befo

 ## Your Environment

-<!-- Please provide as much information as you feel comfortable to help us understand the issue better -->
+<!-- Please provide as much information as you feel comfortable to help the maintainers understand the issue better -->

 ## Exception or Error or Screenshot

@@ -0,0 +1,76 @@
+messages:
+  - role: system
+    content: |-
+      You are an issue validation assistant for Donut Browser, an anti-detect browser.
+
+      Analyze the provided issue content and determine if it contains sufficient information based on these requirements:
+
+      For Bug Reports, the issue should include:
+      1. Clear description of the problem
+      2. Steps to reproduce the issue (numbered list preferred)
+      3. Expected vs actual behavior
+      4. Environment information (OS, browser version, etc.)
+      5. Error messages, stack traces, or screenshots if applicable
+
+      For Feature Requests, the issue should include:
+      1. Clear description of the requested feature
+      2. Use case or problem it solves
+      3. Proposed solution or how it should work
+      4. Priority level or importance
+
+      General Requirements for all issues:
+      1. Descriptive title
+      2. Sufficient detail to understand and act upon
+      3. Professional tone and clear communication
+
+      Constraints:
+      - Maximum 3 items in missing_info array
+      - Maximum 3 items in suggestions array
+      - Each array item must be under 80 characters
+      - overall_assessment must be under 100 characters
+  - role: user
+    content: |-
+      ## Issue Content to Analyze:
+
+      **Title:** {{issue_title}}
+
+      **Body:**
+      {{issue_body}}
+
+      **Labels:** {{issue_labels}}
+model: openai/gpt-4.1
+responseFormat: json_schema
+jsonSchema: |-
+  {
+    "name": "issue_validation",
+    "strict": true,
+    "schema": {
+      "type": "object",
+      "properties": {
+        "is_valid": {
+          "type": "boolean",
+          "description": "Whether the issue contains sufficient information"
+        },
+        "issue_type": {
+          "type": "string",
+          "enum": ["bug_report", "feature_request", "other"]
+        },
+        "missing_info": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Missing information items (max 3, each under 80 characters)"
+        },
+        "suggestions": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Suggestions for improvement (max 3, each under 80 characters)"
+        },
+        "overall_assessment": {
+          "type": "string",
+          "description": "One sentence assessment under 100 characters"
+        }
+      },
+      "required": ["is_valid", "issue_type", "missing_info", "suggestions", "overall_assessment"],
+      "additionalProperties": false
+    }
+  }
@@ -0,0 +1,67 @@
+messages:
+  - role: system
+    content: |-
+      You are a code review assistant for Donut Browser, an open-source anti-detect browser built with Tauri, Next.js, and Rust.
+
+      Review the provided pull request and provide constructive feedback. Focus on:
+      1. Code quality and best practices
+      2. Potential bugs or issues
+      3. Security concerns (especially important for an anti-detect browser)
+      4. Performance implications
+      5. Consistency with the project's patterns
+
+      Constraints:
+      - Maximum 4 items in feedback array
+      - Maximum 3 items in suggestions array
+      - Maximum 2 items in security_notes array
+      - Each array item must be under 150 characters
+      - summary must be under 200 characters
+      - Be constructive and helpful, not harsh
+  - role: user
+    content: |-
+      ## Pull Request to Review:
+
+      **Title:** {{pr_title}}
+
+      **Description:**
+      {{pr_body}}
+
+      **Diff:**
+      {{pr_diff}}
+model: openai/gpt-4.1
+responseFormat: json_schema
+jsonSchema: |-
+  {
+    "name": "pr_review",
+    "strict": true,
+    "schema": {
+      "type": "object",
+      "properties": {
+        "summary": {
+          "type": "string",
+          "description": "Brief 1-2 sentence summary under 200 characters"
+        },
+        "quality_score": {
+          "type": "string",
+          "enum": ["good", "needs_work", "critical_issues"]
+        },
+        "feedback": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Feedback points (max 4, each under 150 characters)"
+        },
+        "suggestions": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Suggestions (max 3, each under 150 characters)"
+        },
+        "security_notes": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Security notes if any (max 2, each under 150 characters)"
+        }
+      },
+      "required": ["summary", "quality_score", "feedback", "suggestions", "security_notes"],
+      "additionalProperties": false
+    }
+  }
@@ -0,0 +1,33 @@
+messages:
+  - role: system
+    content: |-
+      You are an expert technical writer tasked with generating comprehensive release notes for Donut Browser, a powerful anti-detect browser desktop app built with Tauri + Next.js that helps users manage multiple browser profiles with proxy support.
+
+      Guidelines:
+      - Use clear, user-friendly language
+      - Group related commits logically
+      - Omit minor commits like formatting, typos unless significant
+      - Focus on user-facing changes
+      - Use emojis sparingly and consistently
+      - Keep descriptions concise but informative
+      - If commits are unclear, infer the purpose from the context
+      - Only include sections that have relevant changes
+  - role: user
+    content: |-
+      Generate release notes for version {{version}} based on these commits:
+
+      {{commits}}
+
+      Use this format:
+
+      ## What's New in {{version}}
+
+      [Brief 1-2 sentence overview]
+
+      ### New Features
+      ### Bug Fixes
+      ### Improvements
+      ### Documentation
+      ### Dependencies
+      ### Developer Experience
+model: openai/gpt-4.1
@@ -26,81 +26,22 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

-      - name: Get issue templates
-        id: get-templates
-        run: |
-          if [ -f ".github/ISSUE_TEMPLATE/01-bug-report.md" ]; then
-            echo "bug-template-exists=true" >> $GITHUB_OUTPUT
-          fi
-
-          if [ -f ".github/ISSUE_TEMPLATE/02-feature-request.md" ]; then
-            echo "feature-template-exists=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Create issue analysis prompt
-        id: create-prompt
+      - name: Save issue body to file
        env:
-          ISSUE_TITLE: ${{ github.event.issue.title }}
          ISSUE_BODY: ${{ github.event.issue.body }}
-          ISSUE_LABELS: ${{ join(github.event.issue.labels.*.name, ', ') }}
-        run: |
-          cat > issue_analysis.txt << EOF
-          ## Issue Content to Analyze:
-
-          **Title:** $ISSUE_TITLE
-
-          **Body:**
-          $ISSUE_BODY
-
-          **Labels:** $ISSUE_LABELS
-          EOF
+        run: printf '%s' "${ISSUE_BODY:-}" > issue_body.txt

      - name: Validate issue with AI
        id: validate
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
-          prompt-file: issue_analysis.txt
-          system-prompt: |
-            You are an issue validation assistant for Donut Browser, an anti-detect browser.
-
-            Analyze the provided issue content and determine if it contains sufficient information based on these requirements:
-
-            **For Bug Reports, the issue should include:**
-            1. Clear description of the problem
-            2. Steps to reproduce the issue (numbered list preferred)
-            3. Expected vs actual behavior
-            4. Environment information (OS, browser version, etc.)
-            5. Error messages, stack traces, or screenshots if applicable
-
-            **For Feature Requests, the issue should include:**
-            1. Clear description of the requested feature
-            2. Use case or problem it solves
-            3. Proposed solution or how it should work
-            4. Priority level or importance
-
-            **General Requirements for all issues:**
-            1. Descriptive title
-            2. Sufficient detail to understand and act upon
-            3. Professional tone and clear communication
-
-            Respond ONLY with valid JSON (no markdown fences). Keep responses concise.
-
-            JSON structure:
-            {
-              "is_valid": true|false,
-              "issue_type": "bug_report"|"feature_request"|"other",
-              "missing_info": ["item1", "item2"],
-              "suggestions": ["suggestion1", "suggestion2"],
-              "overall_assessment": "One sentence assessment"
-            }
-
-            IMPORTANT CONSTRAINTS:
-            - Maximum 3 items in missing_info array
-            - Maximum 3 items in suggestions array
-            - Each array item must be under 80 characters
-            - overall_assessment must be under 100 characters
-            - Output ONLY the JSON object, nothing else
-          model: gpt-5-mini
+          prompt-file: .github/prompts/issue-validation.prompt.yml
+          input: |
+            issue_title: ${{ github.event.issue.title }}
+            issue_labels: ${{ join(github.event.issue.labels.*.name, ', ') }}
+          file_input: |
+            issue_body: ./issue_body.txt
+          max-tokens: 1024

      - name: Check if first-time contributor
        id: check-first-time
@@ -156,21 +97,21 @@ jobs:
            {
              printf "%b" "$GREETING_SECTION"
              printf "## 🤖 Issue Validation\n\n"
-              printf "Thank you for submitting this issue! However, it appears that some required information might be missing to help us better understand and address your concern.\n\n"
+              printf "Thank you for submitting this issue! However, it appears that some required information might be missing to help the maintainers better understand and address your concern.\n\n"
              printf "**Issue Type Detected:** \`%s\`\n\n" "$ISSUE_TYPE"
              printf "**Assessment:** %s\n\n" "$ASSESSMENT"
              printf "### 📋 Missing Information:\n%s\n\n" "$MISSING_INFO"
              printf "### 💡 Suggestions for Improvement:\n%s\n\n" "$SUGGESTIONS"
              printf "### 📝 How to Provide Additional Information:\n\n"
-              printf "Please edit your original issue description to include the missing information. Here are our issue templates for reference:\n\n"
+              printf "Please edit your original issue description to include the missing information. Here are the issue templates for reference:\n\n"
              printf -- "- **Bug Report Template:** [View Template](.github/ISSUE_TEMPLATE/01-bug-report.md)\n"
              printf -- "- **Feature Request Template:** [View Template](.github/ISSUE_TEMPLATE/02-feature-request.md)\n\n"
              printf "### 🔧 Quick Tips:\n"
              printf -- "- For **bug reports**: Include step-by-step reproduction instructions, your environment details, and any error messages\n"
              printf -- "- For **feature requests**: Describe the use case, expected behavior, and why this feature would be valuable\n"
              printf -- "- Add **screenshots** or **logs** when applicable\n\n"
-              printf "Once you have updated the issue with the missing information, feel free to remove this comment or reply to let us know you have made the updates.\n\n"
-              printf -- "---\n*This validation was performed automatically to ensure we have all the information needed to help you effectively.*\n"
+              printf "Once you have updated the issue with the missing information, feel free to remove this comment or reply to let the maintainers know the updates have been made.\n\n"
+              printf -- "---\n*This validation was performed automatically to ensure all the information needed to help effectively is provided.*\n"
            } > comment.md

            gh issue comment ${{ github.event.issue.number }} --body-file comment.md
@@ -203,14 +144,14 @@ jobs:
          fi

      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@d1482e148399bfaf808674549199f5f4aa69a22d #v1.2.4
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
          model: zai-coding-plan/glm-4.7

      - name: Cleanup
-        run: rm -f issue_analysis.txt comment.md
+        run: rm -f issue_body.txt comment.md

  handle-pr:
    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
@@ -245,54 +186,22 @@ jobs:
          gh pr diff ${{ github.event.pull_request.number }} > pr_diff.txt
          head -c 10000 pr_diff.txt > pr_diff_truncated.txt

-      - name: Create PR analysis prompt
+      - name: Save PR body to file
        env:
-          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_BODY: ${{ github.event.pull_request.body }}
-        run: |
-          {
-            printf "## Pull Request to Review:\n\n"
-            printf "**Title:** %s\n\n" "$PR_TITLE"
-            printf "**Description:**\n%s\n\n" "$PR_BODY"
-            printf "**Diff:**\n"
-            cat pr_diff_truncated.txt
-          } > pr_analysis.txt
+        run: printf '%s' "${PR_BODY:-No description provided}" > pr_body.txt

      - name: Analyze PR with AI
        id: analyze
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
-          prompt-file: pr_analysis.txt
-          system-prompt: |
-            You are a code review assistant for Donut Browser, an open-source anti-detect browser built with Tauri, Next.js, and Rust.
-
-            Review the provided pull request and provide constructive feedback. Focus on:
-            1. Code quality and best practices
-            2. Potential bugs or issues
-            3. Security concerns (especially important for an anti-detect browser)
-            4. Performance implications
-            5. Consistency with the project's patterns
-
-            Respond ONLY with valid JSON (no markdown fences).
-
-            JSON structure:
-            {
-              "summary": "Brief 1-2 sentence summary of what this PR does",
-              "quality_score": "good"|"needs_work"|"critical_issues",
-              "feedback": ["feedback point 1", "feedback point 2"],
-              "suggestions": ["suggestion 1", "suggestion 2"],
-              "security_notes": ["security note if any"] or []
-            }
-
-            IMPORTANT CONSTRAINTS:
-            - Maximum 4 items in feedback array
-            - Maximum 3 items in suggestions array
-            - Maximum 2 items in security_notes array
-            - Each array item must be under 150 characters
-            - summary must be under 200 characters
-            - Be constructive and helpful, not harsh
-            - Output ONLY the JSON object, nothing else
-          model: gpt-5-mini
+          prompt-file: .github/prompts/pr-review.prompt.yml
+          input: |
+            pr_title: ${{ github.event.pull_request.title }}
+          file_input: |
+            pr_body: ./pr_body.txt
+            pr_diff: ./pr_diff_truncated.txt
+          max-tokens: 1024

      - name: Post PR feedback comment
        env:
@@ -364,14 +273,14 @@ jobs:
          gh pr comment ${{ github.event.pull_request.number }} --body-file comment.md

      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@d1482e148399bfaf808674549199f5f4aa69a22d #v1.2.4
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
          model: zai-coding-plan/glm-4.7

      - name: Cleanup
-        run: rm -f pr_diff.txt pr_diff_truncated.txt pr_analysis.txt comment.md
+        run: rm -f pr_diff.txt pr_diff_truncated.txt pr_body.txt comment.md

  opencode-command:
    if: |
@@ -386,7 +295,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Run opencode
-        uses: anomalyco/opencode/github@d1482e148399bfaf808674549199f5f4aa69a22d #v1.2.4
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
@@ -29,6 +29,7 @@ permissions:
 jobs:
  build:
    strategy:
+      fail-fast: false
      matrix:
        os: [macos-latest, ubuntu-22.04, windows-latest]

@@ -82,47 +82,14 @@ jobs:
      - name: Generate release notes with AI
        id: generate-notes
        if: steps.get-release.outputs.is-prerelease == 'false'
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
-          prompt-file: commits.txt
-          system-prompt: |
-            You are an expert technical writer tasked with generating comprehensive release notes for Donut Browser, a powerful anti-detect browser.
-
-            Analyze the provided commit messages and generate well-structured release notes following this format:
-
-            ## What's New in ${{ steps.get-previous-tag.outputs.current-tag }}
-
-            [Brief 1-2 sentence overview of the release]
-
-            ### ✨ New Features
-            [List new features with brief descriptions]
-
-            ### 🐛 Bug Fixes  
-            [List bug fixes]
-
-            ### 🔧 Improvements
-            [List improvements and enhancements]
-
-            ### 📚 Documentation
-            [List documentation updates if any]
-
-            ### 🔄 Dependencies
-            [List dependency updates if any]
-
-            ### 🛠️ Developer Experience
-            [List development-related changes if any]
-
-            Guidelines:
-            - Use clear, user-friendly language
-            - Group related commits logically
-            - Omit minor commits like formatting, typos unless significant
-            - Focus on user-facing changes
-            - Use emojis sparingly and consistently
-            - Keep descriptions concise but informative
-            - If commits are unclear, infer the purpose from the context
-
-            The application is a desktop app built with Tauri + Next.js that helps users manage multiple browser profiles with proxy support.
-          model: gpt-5-mini
+          prompt-file: .github/prompts/release-notes.prompt.yml
+          input: |
+            version: ${{ steps.get-previous-tag.outputs.current-tag }}
+          file_input: |
+            commits: ./commits.txt
+          max-tokens: 4096

      - name: Update release with generated notes
        if: steps.get-release.outputs.is-prerelease == 'false'
@@ -230,3 +230,104 @@ jobs:
 #        with:
 #          branch: main
 #          commit_message: "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"
+
+  publish-repos:
+    needs: [release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Download Linux packages from release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p /tmp/packages
+          gh release download "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_REPOSITORY" \
+            --pattern "*.deb" \
+            --dir /tmp/packages
+          gh release download "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_REPOSITORY" \
+            --pattern "*.rpm" \
+            --dir /tmp/packages
+          echo "Downloaded packages:"
+          ls -la /tmp/packages/
+
+      - name: Setup Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
+        with:
+          go-version: "1.23"
+          cache: false
+
+      - name: Install repogen
+        run: |
+          go install github.com/ralt/repogen/cmd/repogen@latest
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+      - name: Configure AWS CLI for Cloudflare R2
+        run: |
+          aws configure set aws_access_key_id "${{ secrets.R2_ACCESS_KEY_ID }}"
+          aws configure set aws_secret_access_key "${{ secrets.R2_SECRET_ACCESS_KEY }}"
+          aws configure set default.region auto
+
+      - name: Sync existing repo metadata from R2
+        env:
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          mkdir -p /tmp/repo
+          aws s3 sync "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
+            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
+          aws s3 sync "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
+            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
+
+      - name: Generate repository with repogen
+        run: |
+          repogen generate \
+            --input-dir /tmp/packages \
+            --output-dir /tmp/repo \
+            --incremental \
+            --arch amd64,arm64 \
+            --origin "Donut Browser" \
+            --label "Donut Browser" \
+            --codename stable \
+            --components main \
+            --verbose
+
+      - name: Upload repository to R2
+        env:
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          aws s3 sync /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
+            --endpoint-url "${R2_ENDPOINT}" --delete
+          aws s3 sync /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
+            --endpoint-url "${R2_ENDPOINT}"
+          aws s3 sync /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
+            --endpoint-url "${R2_ENDPOINT}" --delete
+          aws s3 sync /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
+            --endpoint-url "${R2_ENDPOINT}"
+
+      - name: Verify upload
+        env:
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          echo "DEB repo:"
+          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}"
+          echo "RPM repo:"
+          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}"
+
+  bump-homebrew-cask:
+    needs: [release]
+    runs-on: macos-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Bump Homebrew cask
+        env:
+          HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+        run: |
+          brew tap --force homebrew/cask
+          VERSION="${GITHUB_REF_NAME#v}"
+          brew bump-cask-pr --version "$VERSION" --no-browse donut
@@ -234,3 +234,55 @@ jobs:
        run: |
          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
          rm -f $RUNNER_TEMP/build_certificate.p12 || true
+
+  update-nightly-release:
+    needs: [rolling-release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+
+      - name: Generate nightly tag
+        id: tag
+        run: |
+          TIMESTAMP=$(date -u +"%Y-%m-%d")
+          COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          echo "nightly_tag=nightly-${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT
+
+      - name: Update rolling nightly release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          NIGHTLY_TAG="${{ steps.tag.outputs.nightly_tag }}"
+          ASSETS_DIR="/tmp/nightly-assets"
+
+          # Download all assets from the per-commit nightly release
+          mkdir -p "$ASSETS_DIR"
+          gh release download "$NIGHTLY_TAG" --dir "$ASSETS_DIR" --clobber
+
+          # Rename versioned filenames to stable nightly names
+          cd "$ASSETS_DIR"
+          for f in Donut_*_aarch64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.dmg; done
+          for f in Donut_*_x64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_x64.dmg; done
+          for f in Donut_*_x64-setup.exe; do [ -f "$f" ] && mv "$f" Donut_nightly_x64-setup.exe; done
+          for f in Donut_*_aarch64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.AppImage; done
+          for f in Donut_*_amd64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.AppImage; done
+          for f in Donut_*_amd64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.deb; done
+          for f in Donut_*_arm64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_arm64.deb; done
+          for f in Donut-*.x86_64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_x86_64.rpm; done
+          for f in Donut-*.aarch64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.rpm; done
+          cd "$GITHUB_WORKSPACE"
+
+          # Delete existing rolling nightly release and tag
+          gh release delete nightly --yes 2>/dev/null || true
+          git push --delete origin nightly 2>/dev/null || true
+
+          # Create new rolling nightly release with all assets
+          gh release create nightly \
+            "$ASSETS_DIR"/Donut_nightly_* \
+            "$ASSETS_DIR"/Donut_aarch64.app.tar.gz \
+            "$ASSETS_DIR"/Donut_x64.app.tar.gz \
+            --title "Donut Browser Nightly" \
+            --notes "Automatically updated nightly build from the latest main branch.\n\nCommit: ${GITHUB_SHA}" \
+            --prerelease
@@ -23,4 +23,4 @@ jobs:
      - name: Checkout Actions Repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
      - name: Spell Check Repo
-        uses: crate-ci/typos@78bc6fb2c0d734235d57a2d6b9de923cc325ebdd #v1.43.4
+        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
@@ -12,7 +12,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: "This issue has been inactive for 60 days. Please respond to keep it open."
@@ -24,6 +24,7 @@ jobs:
  rust-sync-e2e:
    name: Rust Sync E2E Tests
    strategy:
+      fail-fast: false
      matrix:
        os: [macos-latest, ubuntu-22.04]

@@ -31,6 +31,7 @@
    "cmdk",
    "codegen",
    "codesign",
+    "codesigning",
    "commitish",
    "Crashpad",
    "CTYPE",
@@ -44,6 +45,8 @@
    "devedition",
    "direnv",
    "distro",
+    "dists",
+    "DMABUF",
    "doctest",
    "doesn",
    "domcontentloaded",
@@ -65,6 +68,7 @@
    "gettimezone",
    "gifs",
    "globset",
+    "GOPATH",
    "gsettings",
    "healthreport",
    "hiddenimports",
@@ -77,6 +81,7 @@
    "idletime",
    "idna",
    "infobars",
+    "inkey",
    "Inno",
    "kdeglobals",
    "keras",
@@ -92,6 +97,7 @@
    "libayatana",
    "libc",
    "libcairo",
+    "libfuse",
    "libgdk",
    "libglib",
    "libpango",
@@ -131,10 +137,13 @@
    "osascript",
    "oscpu",
    "outpath",
+    "OVPN",
+    "passout",
    "patchelf",
    "pathex",
    "pathlib",
    "peerconnection",
+    "PHANDLER",
    "pids",
    "pixbuf",
    "pkexec",
@@ -153,6 +162,9 @@
    "pytest",
    "pyyaml",
    "quic",
+    "ralt",
+    "repodata",
+    "repogen",
    "reportingpolicy",
    "reqwest",
    "ridedott",
@@ -172,6 +184,7 @@
    "shadcn",
    "showcursor",
    "shutil",
+    "sighandler",
    "signon",
    "signum",
    "sklearn",
@@ -183,6 +196,7 @@
    "stefanzweifel",
    "subdirs",
    "subkey",
+    "subsec",
    "SUPPRESSMSGBOXES",
    "swatinem",
    "sysinfo",
@@ -212,6 +226,7 @@
    "venv",
    "vercel",
    "VERYSILENT",
+    "vpns",
    "wayfern",
    "webgl",
    "webrtc",
@@ -1,10 +1,10 @@
 # Code of Conduct

-All participants of the Donut Browser project (referred to as "the project") are expected to abide by our Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.
+All participants of the Donut Browser project (referred to as "the project") are expected to abide by this Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.

 ## The Pledge

-In the interest of fostering an open and welcoming environment, we pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, the maintainers pledge to make participation in the project and the community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## The Standards

@@ -23,6 +23,6 @@ Examples of unacceptable behavior by participants include:

 ## Enforcement

-Violations of the Code of Conduct may be reported to contact at donutbrowser dot com. All reports will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Further details of specific enforcement policies may be posted separately.
+Violations of the Code of Conduct may be reported to [contact@donutbrowser.com](mailto:contact@donutbrowser.com). All reports will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Further details of specific enforcement policies may be posted separately.

-We hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+The maintainers hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that are deemed inappropriate, threatening, offensive, or harmful.
@@ -10,11 +10,11 @@ Do keep in mind before you start working on an issue / posting a PR:

 - Search existing PRs related to that issue which might close them
 - Confirm if other contributors are working on the same issue
- Check if the feature aligns with our roadmap and project goals
+- Check if the feature aligns with the project's roadmap and goals

 ## Contributor License Agreement

-By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to our [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:
+By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to the [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:

 - Your contributions can be used in the open source version of Donut Browser (licensed under AGPL-3.0)
 - Donut Browser can offer commercial licenses for the software, including your contributions
@@ -27,7 +27,7 @@ When you submit your first pull request, you acknowledge that you agree to the t
 - PRs with tests are highly appreciated
 - Avoid adding third party libraries, whenever possible
 - Unless you are helping out by updating dependencies, you should not be uploading your lock files or updating any dependencies in your PR
- If you are unsure where to start, open a discussion and we will point you to a good first issue
+- If you are unsure where to start, open a discussion to get pointed to a good first issue

 ## Development Setup

@@ -80,7 +80,7 @@ This will start the app for local development with live reloading.

 ## Code Style & Quality

-We use several tools to maintain code quality:
+The project uses several tools to maintain code quality:

 - **Biome** for JavaScript/TypeScript linting and formatting
 - **Clippy** for Rust linting
@@ -88,7 +88,7 @@ We use several tools to maintain code quality:

 ### Before Committing

-Run these commands to ensure your code meets our standards:
+Run these commands to ensure your code meets the project's standards:

 ```bash
 # Format and lint frontend code
@@ -151,7 +151,7 @@ Refs #00000

 ### PR Checklist

- [ ] Code follows our style guidelines
+- [ ] Code follows the project's style guidelines
 - [ ] I have performed a self-review of my code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
@@ -187,7 +187,7 @@ Please note that this project is released with a [Contributor Code of Conduct](C

 ## Recognition

-All contributors will be recognized! We use the all-contributors specification to acknowledge everyone who contributes to the project.
+All contributors will be recognized! The project uses the all-contributors specification to acknowledge everyone who contributes.

 ---

@@ -25,11 +25,7 @@
  </a>
 </p>

-<picture>
- <source media="(prefers-color-scheme: dark)" srcset="assets/preview-dark.png" />
- <source media="(prefers-color-scheme: light)" srcset="assets/preview.png" />
- <img alt="Preview" src="assets/preview.png" />
-</picture>
+<img alt="Donut Browser Preview" src="assets/donut-preview.png" />

 ## Features

@@ -46,6 +42,19 @@

 The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).

+<details>
+<summary>Troubleshooting AppImage on Linux</summary>
+
+If the AppImage segfaults on launch, install **libfuse2** (`sudo apt install libfuse2` / `yay -S libfuse2` / `sudo dnf install fuse-libs`), or bypass FUSE entirely:
+
+```bash
+APPIMAGE_EXTRACT_AND_RUN=1 ./Donut.Browser_x.x.x_amd64.AppImage
+```
+
+If that gives an EGL display error, try adding `WEBKIT_DISABLE_DMABUF_RENDERER=1` or `GDK_BACKEND=x11` to the command above. If issues persist, the **.deb** / **.rpm** packages are a more reliable alternative.
+
+</details>
+
 <!-- ## Supported Platforms

 - ✅ **macOS** (Apple Silicon)
@@ -68,7 +77,7 @@ Donut Browser supports syncing profiles, proxies, and groups across devices via

 ## Community

-Have questions or want to contribute? We'd love to hear from you!
+Have questions or want to contribute? The team would love to hear from you!

 - **Issues**: [GitHub Issues](https://github.com/zhom/donutbrowser/issues)
 - **Discussions**: [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)
@@ -117,7 +126,7 @@ Have questions or want to contribute? We'd love to hear from you!

 ## Contact

-Have an urgent question or want to report a security vulnerability? Send an email to contact at donutbrowser dot com and we'll get back to you as fast as possible.
+Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and the team will get back to you as fast as possible.

 ## License

@@ -8,7 +8,7 @@ We take the security of Donut Browser seriously. If you believe you have found a

 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

-Instead, please send an email to **contact at donutbrowser dot com** with the subject line "Security Vulnerability Report".
+Instead, please send an email to **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)** with the subject line "Security Vulnerability Report".

 Please include as much of the information listed below as you can to help us better understand and resolve the issue:

@@ -32,7 +32,7 @@ This information will help us triage your report more quickly.

 ## Contact

-For urgent security matters, please contact us at **contact at donutbrowser dot com**.
+For urgent security matters, please contact us at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.

 For general questions about this security policy, you can also reach out through:

@@ -6,3 +6,6 @@ extend-exclude = [
    "src-tauri/build.rs",
    "src-tauri/tests/fixtures/test.ovpn",
 ]
+
+[default.extend-words]
+DBE = "DBE"
@@ -18,12 +18,12 @@
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.990.0",
-    "@aws-sdk/s3-request-presigner": "^3.990.0",
-    "@nestjs/common": "^11.1.13",
+    "@aws-sdk/client-s3": "^3.1000.0",
+    "@aws-sdk/s3-request-presigner": "^3.1000.0",
+    "@nestjs/common": "^11.1.14",
    "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.13",
-    "@nestjs/platform-express": "^11.1.13",
+    "@nestjs/core": "^11.1.14",
+    "@nestjs/platform-express": "^11.1.14",
    "jsonwebtoken": "^9.0.3",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
@@ -31,12 +31,12 @@
  "devDependencies": {
    "@nestjs/cli": "^11.0.16",
    "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.13",
+    "@nestjs/testing": "^11.1.14",
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.2.3",
-    "@types/supertest": "^6.0.3",
+    "@types/node": "^25.3.3",
+    "@types/supertest": "^7.2.0",
    "jest": "^30.2.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
@@ -43,6 +43,7 @@ export class AuthGuard implements CanActivate {
        prefix: "",
        teamPrefix: null,
        profileLimit: 0,
+        teamProfileLimit: 0,
      } satisfies UserContext;
      return true;
    }
@@ -59,6 +60,7 @@ export class AuthGuard implements CanActivate {
          prefix: decoded.prefix || `users/${decoded.sub}/`,
          teamPrefix: decoded.teamPrefix || null,
          profileLimit: decoded.profileLimit || 0,
+          teamProfileLimit: decoded.teamProfileLimit || 0,
        } satisfies UserContext;
        return true;
      } catch (err) {
@@ -3,4 +3,5 @@ export interface UserContext {
  prefix: string; // '' for self-hosted, 'users/{id}/' for cloud
  teamPrefix: string | null; // 'teams/{id}/' or null
  profileLimit: number; // 0 for unlimited (self-hosted)
+  teamProfileLimit: number; // 0 for unlimited or non-team users
 }
@@ -0,0 +1,38 @@
+import {
+  Body,
+  Controller,
+  Headers,
+  HttpCode,
+  Post,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { SyncService } from "./sync.service.js";
+
+@Controller("v1/internal")
+export class InternalController {
+  private readonly internalKey: string | undefined;
+
+  constructor(
+    private readonly syncService: SyncService,
+    private readonly configService: ConfigService,
+  ) {
+    this.internalKey = this.configService.get<string>("INTERNAL_KEY");
+  }
+
+  @Post("cleanup-excess-profiles")
+  @HttpCode(200)
+  async cleanupExcessProfiles(
+    @Headers("x-internal-key") key: string,
+    @Body() body: { userId: string; maxProfiles: number },
+  ) {
+    if (!this.internalKey || key !== this.internalKey) {
+      throw new UnauthorizedException("Invalid internal key");
+    }
+
+    return this.syncService.cleanupExcessProfiles(
+      body.userId,
+      body.maxProfiles,
+    );
+  }
+}
@@ -1,10 +1,11 @@
 import { Module } from "@nestjs/common";
 import { AuthGuard } from "../auth/auth.guard.js";
+import { InternalController } from "./internal.controller.js";
 import { SyncController } from "./sync.controller.js";
 import { SyncService } from "./sync.service.js";

@Module({
-  controllers: [SyncController],
+  controllers: [SyncController, InternalController],
  providers: [SyncService, AuthGuard],
  exports: [SyncService],
 })
@@ -145,6 +145,7 @@ export class SyncService implements OnModuleInit {
   */
  private scopeKey(ctx: UserContext, key: string): string {
    if (ctx.mode === "self-hosted") return key;
+    if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return key;
    return `${ctx.prefix}${key}`;
  }

@@ -309,10 +310,12 @@ export class SyncService implements OnModuleInit {
    );

    const userPrefix = ctx?.prefix || "";
+    const teamPrefix = ctx?.teamPrefix || "";
    const objects = (response.Contents || []).map((obj) => {
-      // Strip user prefix from returned keys so client sees relative keys
      let key = obj.Key || "";
-      if (userPrefix && key.startsWith(userPrefix)) {
+      if (teamPrefix && key.startsWith(teamPrefix)) {
+        key = key.substring(teamPrefix.length);
+      } else if (userPrefix && key.startsWith(userPrefix)) {
        key = key.substring(userPrefix.length);
      }
      return {
@@ -481,11 +484,15 @@ export class SyncService implements OnModuleInit {
  ): Observable<SubscribeEventDto> {
    const basePrefixes = ["profiles/", "proxies/", "groups/", "tombstones/"];

-    // Scope prefixes for cloud users; self-hosted gets root prefixes
-    const prefixes =
-      ctx.mode === "self-hosted"
-        ? basePrefixes
-        : basePrefixes.map((p) => `${ctx.prefix}${p}`);
+    let prefixes: string[];
+    if (ctx.mode === "self-hosted") {
+      prefixes = basePrefixes;
+    } else {
+      prefixes = basePrefixes.map((p) => `${ctx.prefix}${p}`);
+      if (ctx.teamPrefix) {
+        prefixes.push(...basePrefixes.map((p) => `${ctx.teamPrefix}${p}`));
+      }
+    }

    // Per-connection state (not shared across subscribers)
    let lastKnownState = new Map<string, string>();
@@ -547,6 +554,135 @@ export class SyncService implements OnModuleInit {
    this.changeSubject.next(event);
  }

+  async cleanupExcessProfiles(
+    userId: string,
+    maxProfiles: number,
+  ): Promise<{ deletedProfiles: string[]; remaining: number }> {
+    const userPrefix = `users/${userId}/`;
+    const profilePrefix = `${userPrefix}profiles/`;
+
+    // List all profile directories
+    const profiles: { id: string; lastModified: Date }[] = [];
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+
+      if (result.CommonPrefixes) {
+        for (const cp of result.CommonPrefixes) {
+          if (!cp.Prefix) continue;
+          const profileId = cp.Prefix.replace(profilePrefix, "").replace(
+            /\/$/,
+            "",
+          );
+
+          // Get creation time from first object in the profile directory
+          const objects = await this.s3Client.send(
+            new ListObjectsV2Command({
+              Bucket: this.bucket,
+              Prefix: cp.Prefix,
+              MaxKeys: 1,
+            }),
+          );
+
+          const firstObj = objects.Contents?.[0];
+          profiles.push({
+            id: profileId,
+            lastModified: firstObj?.LastModified || new Date(0),
+          });
+        }
+      }
+
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    if (profiles.length <= maxProfiles) {
+      return { deletedProfiles: [], remaining: profiles.length };
+    }
+
+    // Sort newest first — delete newest excess profiles
+    profiles.sort(
+      (a, b) => b.lastModified.getTime() - a.lastModified.getTime(),
+    );
+
+    const excessCount = profiles.length - maxProfiles;
+    const toDelete = profiles.slice(0, excessCount);
+    const deletedProfiles: string[] = [];
+
+    for (const profile of toDelete) {
+      const prefix = `${profilePrefix}${profile.id}/`;
+
+      // Delete all objects under this profile
+      let delToken: string | undefined;
+      do {
+        const listResult = await this.s3Client.send(
+          new ListObjectsV2Command({
+            Bucket: this.bucket,
+            Prefix: prefix,
+            MaxKeys: 1000,
+            ContinuationToken: delToken,
+          }),
+        );
+
+        const objects = listResult.Contents || [];
+        if (objects.length > 0) {
+          const deleteObjects = objects
+            .filter((obj): obj is typeof obj & { Key: string } => !!obj.Key)
+            .map((obj) => ({ Key: obj.Key }));
+
+          if (deleteObjects.length > 0) {
+            await this.s3Client.send(
+              new DeleteObjectsCommand({
+                Bucket: this.bucket,
+                Delete: { Objects: deleteObjects, Quiet: true },
+              }),
+            );
+          }
+        }
+
+        delToken = listResult.NextContinuationToken;
+      } while (delToken);
+
+      // Create tombstone
+      const tombstoneKey = `${userPrefix}tombstones/profiles/${profile.id}`;
+      const tombstoneData = JSON.stringify({
+        prefix: `profiles/${profile.id}/`,
+        deleted_at: new Date().toISOString(),
+        reason: "excess_profile_cleanup",
+      });
+
+      await this.s3Client.send(
+        new PutObjectCommand({
+          Bucket: this.bucket,
+          Key: tombstoneKey,
+          Body: tombstoneData,
+          ContentType: "application/json",
+        }),
+      );
+
+      deletedProfiles.push(profile.id);
+      this.logger.log(
+        `Cleaned up excess profile ${profile.id} for user ${userId}`,
+      );
+    }
+
+    // Report updated profile usage to backend
+    const remaining = profiles.length - deletedProfiles.length;
+    await this.reportProfileUsage(userId, remaining).catch((err) =>
+      this.logger.warn(`Failed to report usage after cleanup: ${err.message}`),
+    );
+
+    return { deletedProfiles, remaining };
+  }
+
  /**
   * Check if the user has reached their profile limit.
   * Counts objects in the profiles/ prefix.
@@ -554,16 +690,33 @@ export class SyncService implements OnModuleInit {
  private async checkProfileLimit(ctx: UserContext): Promise<void> {
    if (ctx.profileLimit <= 0) return; // 0 = unlimited

-    const profilePrefix = `${ctx.prefix}profiles/`;
-    const result = await this.s3Client.send(
+    let count = 0;
+
+    const userResult = await this.s3Client.send(
      new ListObjectsV2Command({
        Bucket: this.bucket,
-        Prefix: profilePrefix,
+        Prefix: `${ctx.prefix}profiles/`,
        Delimiter: "/",
      }),
    );
+    count += userResult.CommonPrefixes?.length || 0;
+
+    if (ctx.teamPrefix && ctx.teamProfileLimit && ctx.teamProfileLimit > 0) {
+      const teamResult = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: `${ctx.teamPrefix}profiles/`,
+          Delimiter: "/",
+        }),
+      );
+      const teamCount = teamResult.CommonPrefixes?.length || 0;
+      if (teamCount >= ctx.teamProfileLimit) {
+        throw new ForbiddenException(
+          `Team profile limit reached (${ctx.teamProfileLimit}). Ask the team owner to upgrade.`,
+        );
+      }
+    }

-    const count = result.CommonPrefixes?.length || 0;
    if (count >= ctx.profileLimit) {
      throw new ForbiddenException(
        `Profile limit reached (${ctx.profileLimit}). Upgrade your plan for more profiles.`,
@@ -604,6 +757,35 @@ export class SyncService implements OnModuleInit {
    return match ? match[1] : null;
  }

+  private async countTeamProfiles(ctx: UserContext): Promise<number> {
+    if (!ctx.teamPrefix) return 0;
+    const profilePrefix = `${ctx.teamPrefix}profiles/`;
+    let count = 0;
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+      count += result.CommonPrefixes?.length || 0;
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    return count;
+  }
+
+  private extractTeamId(ctx: UserContext): string | null {
+    if (!ctx.teamPrefix) return null;
+    const match = ctx.teamPrefix.match(/^teams\/([^/]+)\/$/);
+    return match ? match[1] : null;
+  }
+
  /**
   * Fire-and-forget: count profiles and report to backend.
   */
@@ -614,7 +796,17 @@ export class SyncService implements OnModuleInit {
    if (!userId) return;

    this.countProfiles(ctx)
-      .then((count) => this.reportProfileUsage(userId, count))
+      .then(async (count) => {
+        await this.reportProfileUsage(userId, count);
+
+        if (ctx.teamPrefix) {
+          const teamCount = await this.countTeamProfiles(ctx);
+          const teamId = this.extractTeamId(ctx);
+          if (teamId) {
+            await this.reportProfileUsage(teamId, teamCount);
+          }
+        }
+      })
      .catch((err) =>
        this.logger.warn(`Failed to report profile usage: ${err.message}`),
      );
@@ -2,7 +2,7 @@
  "name": "donutbrowser",
  "private": true,
  "license": "AGPL-3.0",
-  "version": "0.14.2",
+  "version": "0.15.0",
  "type": "module",
  "scripts": {
    "dev": "next dev --turbopack -p 12341",
@@ -44,7 +44,7 @@
    "@radix-ui/react-tabs": "^1.1.13",
    "@radix-ui/react-tooltip": "^1.2.8",
    "@tanstack/react-table": "^8.21.3",
-    "@tauri-apps/api": "~2.9.0",
+    "@tauri-apps/api": "~2.10.1",
    "@tauri-apps/plugin-deep-link": "^2.4.7",
    "@tauri-apps/plugin-dialog": "^2.6.0",
    "@tauri-apps/plugin-fs": "~2.4.5",
@@ -56,9 +56,9 @@
    "cmdk": "^1.1.1",
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
-    "i18next": "^25.8.7",
-    "lucide-react": "^0.564.0",
-    "motion": "^12.34.0",
+    "i18next": "^25.8.13",
+    "lucide-react": "^0.576.0",
+    "motion": "^12.34.3",
    "next": "^16.1.6",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
@@ -68,34 +68,34 @@
    "react-icons": "^5.5.0",
    "recharts": "3.7.0",
    "sonner": "^2.0.7",
-    "tailwind-merge": "^3.4.0",
+    "tailwind-merge": "^3.5.0",
    "tauri-plugin-macos-permissions-api": "^2.3.0"
  },
  "devDependencies": {
-    "@biomejs/biome": "2.3.15",
-    "@tailwindcss/postcss": "^4.1.18",
-    "@tauri-apps/cli": "~2.9.0",
+    "@biomejs/biome": "2.4.4",
+    "@tailwindcss/postcss": "^4.2.1",
+    "@tauri-apps/cli": "~2.10.0",
    "@types/color": "^4.2.0",
-    "@types/node": "^25.2.3",
+    "@types/node": "^25.3.3",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^5.1.4",
    "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
-    "tailwindcss": "^4.1.18",
+    "lint-staged": "^16.3.1",
+    "tailwindcss": "^4.2.1",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
    "typescript": "~5.9.3"
  },
-  "packageManager": "pnpm@10.29.3",
+  "packageManager": "pnpm@10.30.1",
  "lint-staged": {
    "**/*.{js,jsx,ts,tsx,json,css}": [
      "biome check --fix"
    ],
    "src-tauri/**/*.rs": [
-      "cd src-tauri && cargo fmt --all",
-      "cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all",
-      "cd src-tauri && cargo test"
+      "bash -c 'cd src-tauri && cargo fmt --all'",
+      "bash -c 'cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all'",
+      "bash -c 'cd src-tauri && cargo test --lib'"
    ]
  }
 }
@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.14.2"
+version = "0.15.0"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -40,6 +40,7 @@ tauri-plugin-opener = "2"
 tauri-plugin-fs = "2"
 tauri-plugin-shell = "2"
 tauri-plugin-deep-link = "2"
+tauri-plugin-single-instance = "2"
 tauri-plugin-dialog = "2"
 tauri-plugin-macos-permissions = "2"
 tauri-plugin-log = "2"
@@ -99,21 +100,19 @@ maxminddb = "0.27"
 quick-xml = { version = "0.39", features = ["serialize"] }

 # VPN support
+lz4_flex = "0.11"
 boringtun = "0.7"
+smoltcp = { version = "0.11", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

 # Daemon dependencies (tray icon)
 tray-icon = "0.21"
 muda = "0.17"
 tao = "0.34"
-single-instance = "0.3"
 image = "0.25"
 dirs = "6"
 crossbeam-channel = "0.5"
 sys-locale = "0.3"

-[target."cfg(any(target_os = \"macos\", windows, target_os = \"linux\"))".dependencies]
-tauri-plugin-single-instance = { version = "2", features = ["deep-link"] }
-
 [target.'cfg(unix)'.dependencies]
 nix = { version = "0.31", features = ["signal", "process"] }

@@ -14,6 +14,8 @@
 	<string>Donut</string>
 	<key>CFBundleIdentifier</key>
 	<string>com.donutbrowser</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
    <key>CFBundleURLName</key>
    <string>com.donutbrowser</string>
 	<key>CFBundleExecutable</key>
@@ -34,6 +34,8 @@
    "deep-link:allow-get-current",
    "dialog:default",
    "dialog:allow-open",
+    "dialog:allow-save",
+    "fs:allow-write-text-file",
    "macos-permissions:default",
    "macos-permissions:allow-request-microphone-permission",
    "macos-permissions:allow-request-camera-permission",
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
@@ -464,13 +463,7 @@ impl ApiClient {
  }

  fn get_cache_dir() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    let base_dirs = BaseDirs::new().ok_or("Failed to get base directories")?;
-    let app_name = if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    };
-    let cache_dir = base_dirs.cache_dir().join(app_name).join("version_cache");
+    let cache_dir = crate::app_dirs::cache_dir().join("version_cache");
    fs::create_dir_all(&cache_dir)?;
    Ok(cache_dir)
  }
@@ -39,6 +39,7 @@ pub struct ApiProfile {
  pub group_id: Option<String>,
  pub tags: Vec<String>,
  pub is_running: bool,
+  pub proxy_bypass_rules: Vec<String>,
 }

 #[derive(Debug, Serialize, Deserialize, ToSchema)]
@@ -78,6 +79,8 @@ pub struct UpdateProfileRequest {
  pub camoufox_config: Option<serde_json::Value>,
  pub group_id: Option<String>,
  pub tags: Option<Vec<String>>,
+  pub extension_group_id: Option<String>,
+  pub proxy_bypass_rules: Option<Vec<String>>,
 }

 #[derive(Clone)]
@@ -295,30 +298,23 @@ impl ApiServer {

    // Create router with OpenAPI documentation
    let (v1_routes, _) = OpenApiRouter::new()
-      .routes(routes!(
-        get_profiles,
-        create_profile,
-        get_profile,
-        update_profile,
-        delete_profile,
-        run_profile,
-        open_url_in_profile,
-        kill_profile,
-        get_groups,
-        create_group,
-        get_group,
-        update_group,
-        delete_group,
-        get_tags,
-        get_proxies,
-        create_proxy,
-        get_proxy,
-        update_proxy,
-        delete_proxy,
-        download_browser_api,
-        get_browser_versions,
-        check_browser_downloaded,
-      ))
+      .routes(routes!(get_profiles, create_profile))
+      .routes(routes!(get_profile, update_profile, delete_profile))
+      .routes(routes!(run_profile))
+      .routes(routes!(open_url_in_profile))
+      .routes(routes!(kill_profile))
+      .routes(routes!(get_groups, create_group))
+      .routes(routes!(get_group, update_group, delete_group))
+      .routes(routes!(get_tags))
+      .routes(routes!(get_proxies, create_proxy))
+      .routes(routes!(get_proxy, update_proxy, delete_proxy))
+      .routes(routes!(get_extensions))
+      .routes(routes!(delete_extension_api))
+      .routes(routes!(get_extension_groups))
+      .routes(routes!(delete_extension_group_api))
+      .routes(routes!(download_browser_api))
+      .routes(routes!(get_browser_versions))
+      .routes(routes!(check_browser_downloaded))
      .split_for_parts();

    let api = ApiDoc::openapi();
@@ -493,6 +489,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          group_id: profile.group_id.clone(),
          tags: profile.tags.clone(),
          is_running: profile.process_id.is_some(), // Simple check based on process_id
+          proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
        })
        .collect();

@@ -547,6 +544,7 @@ async fn get_profile(
            group_id: profile.group_id.clone(),
            tags: profile.tags.clone(),
            is_running: profile.process_id.is_some(), // Simple check based on process_id
+            proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
          },
        }))
      } else {
@@ -601,9 +599,11 @@ async fn create_profile(
      &request.version,
      request.release_type.as_deref().unwrap_or("stable"),
      request.proxy_id.clone(),
+      None, // vpn_id
      camoufox_config,
      wayfern_config,
      request.group_id.clone(),
+      false,
    )
    .await
  {
@@ -643,6 +643,7 @@ async fn create_profile(
          group_id: profile.group_id,
          tags: profile.tags,
          is_running: false,
+          proxy_bypass_rules: profile.proxy_bypass_rules,
        },
      }))
    }
@@ -746,6 +747,29 @@ async fn update_profile(
    }
  }

+  if let Some(extension_group_id) = request.extension_group_id {
+    let ext_group = if extension_group_id.is_empty() {
+      None
+    } else {
+      Some(extension_group_id)
+    };
+    if profile_manager
+      .update_profile_extension_group(&id, ext_group)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
+  if let Some(proxy_bypass_rules) = request.proxy_bypass_rules {
+    if profile_manager
+      .update_profile_proxy_bypass_rules(&state.app_handle, &id, proxy_bypass_rules)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  // Return updated profile
  get_profile(Path(id), State(state)).await
 }
@@ -1151,6 +1175,94 @@ async fn delete_proxy(
  }
 }

+// Extension API endpoints
+
+#[utoipa::path(
+  get,
+  path = "/v1/extensions",
+  responses(
+    (status = 200, description = "List of extensions"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extensions(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::Extension>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_extensions()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  get,
+  path = "/v1/extension-groups",
+  responses(
+    (status = 200, description = "List of extension groups"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extension_groups(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::ExtensionGroup>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_groups()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extensions/{id}",
+  params(("id" = String, Path, description = "Extension ID")),
+  responses(
+    (status = 204, description = "Extension deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_extension(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extension-groups/{id}",
+  params(("id" = String, Path, description = "Extension Group ID")),
+  responses(
+    (status = 204, description = "Extension group deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension group not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_group_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_group(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
 // API Handler - Run Profile with Remote Debugging
 #[utoipa::path(
  post,
@@ -1161,6 +1273,7 @@ async fn delete_proxy(
  request_body = RunProfileRequest,
  responses(
    (status = 200, description = "Profile launched successfully", body = RunProfileResponse),
+    (status = 400, description = "Cannot launch cross-OS profile"),
    (status = 401, description = "Unauthorized"),
    (status = 404, description = "Profile not found"),
    (status = 500, description = "Internal server error")
@@ -1188,6 +1301,15 @@ async fn run_profile(
    .find(|p| p.id.to_string() == id)
    .ok_or(StatusCode::NOT_FOUND)?;

+  if profile.is_cross_os() {
+    return Err(StatusCode::BAD_REQUEST);
+  }
+
+  // Team lock check
+  crate::team_lock::acquire_team_lock_if_needed(profile)
+    .await
+    .map_err(|_| StatusCode::CONFLICT)?;
+
  // Generate a random port for remote debugging
  let remote_debugging_port = rand::random::<u16>().saturating_add(9000).max(9000);

@@ -1282,6 +1404,8 @@ async fn kill_profile(
    .await
    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

+  crate::team_lock::release_team_lock_if_needed(profile).await;
+
  Ok(StatusCode::NO_CONTENT)
 }

@@ -506,7 +506,8 @@ impl AppAutoUpdater {
        && (asset.name.contains(&format!("_{arch}.dmg"))
          || asset.name.contains(&format!("-{arch}.dmg"))
          || asset.name.contains(&format!("_{arch}_"))
-          || asset.name.contains(&format!("-{arch}-")))
+          || asset.name.contains(&format!("-{arch}-"))
+          || asset.name.contains(&format!("_{arch}-")))
      {
        log::info!("Found exact architecture match: {}", asset.name);
        return Some(asset.browser_download_url.clone());
@@ -564,7 +565,8 @@ impl AppAutoUpdater {
          && (asset.name.contains(&format!("_{arch}.{ext}"))
            || asset.name.contains(&format!("-{arch}.{ext}"))
            || asset.name.contains(&format!("_{arch}_"))
-            || asset.name.contains(&format!("-{arch}-")))
+            || asset.name.contains(&format!("-{arch}-"))
+            || asset.name.contains(&format!("_{arch}-")))
        {
          log::info!("Found Windows {ext} with exact arch match: {}", asset.name);
          return Some(asset.browser_download_url.clone());
@@ -627,7 +629,8 @@ impl AppAutoUpdater {
          && (asset.name.contains(&format!("_{arch}.{ext}"))
            || asset.name.contains(&format!("-{arch}.{ext}"))
            || asset.name.contains(&format!("_{arch}_"))
-            || asset.name.contains(&format!("-{arch}-")))
+            || asset.name.contains(&format!("-{arch}-"))
+            || asset.name.contains(&format!("_{arch}-")))
        {
          log::info!("Found Linux {ext} with exact arch match: {}", asset.name);
          return Some(asset.browser_download_url.clone());
@@ -741,13 +744,36 @@ impl AppAutoUpdater {
    log::info!("Extracting update...");
    let extracted_app_path = self.extract_update(&download_path, &temp_dir).await?;

-    log::info!("Installing update (overwriting binary)...");
-    self.install_update(&extracted_app_path).await?;
+    // On Windows, MSI/EXE installers close the running app, so running them now
+    // would kill the process before the "Update ready" toast can appear. Instead,
+    // defer execution to restart_application() when the user clicks "Restart Now".
+    #[cfg(target_os = "windows")]
+    {
+      let ext = extracted_app_path
+        .extension()
+        .and_then(|e| e.to_str())
+        .unwrap_or("")
+        .to_lowercase();
+      if ext == "msi" || ext == "exe" {
+        log::info!("Deferring Windows installer execution until user-initiated restart");
+        *PENDING_INSTALLER_PATH.lock().unwrap() = Some(extracted_app_path);
+      } else {
+        log::info!("Installing update (overwriting binary)...");
+        self.install_update(&extracted_app_path).await?;
+        log::info!("Cleaning up temporary files...");
+        let _ = fs::remove_dir_all(&temp_dir);
+      }
+    }

-    log::info!("Cleaning up temporary files...");
-    let _ = fs::remove_dir_all(&temp_dir);
+    #[cfg(not(target_os = "windows"))]
+    {
+      log::info!("Installing update (overwriting binary)...");
+      self.install_update(&extracted_app_path).await?;
+      log::info!("Cleaning up temporary files...");
+      let _ = fs::remove_dir_all(&temp_dir);
+    }

-    log::info!("Update installed successfully, emitting app-update-ready event");
+    log::info!("Update ready, emitting app-update-ready event");

    let _ = events::emit("app-update-ready", update_info.new_version.clone());

@@ -1418,14 +1444,63 @@ rm "{}"
    {
      let app_path = self.get_current_app_path()?;
      let current_pid = std::process::id();
+      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      // Create a temporary restart batch script
      let temp_dir = std::env::temp_dir();
      let script_path = temp_dir.join("donut_restart.bat");
+      let update_temp_dir = temp_dir.join("donut_app_update");

-      // Create the restart script content
-      let script_content = format!(
-        r#"@echo off
+      let script_content = if let Some(installer_path) = pending {
+        let ext = installer_path
+          .extension()
+          .and_then(|e| e.to_str())
+          .unwrap_or("")
+          .to_lowercase();
+        let install_cmd = match ext.as_str() {
+          "msi" => format!(
+            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
+            installer_path.to_str().unwrap()
+          ),
+          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
+          _ => String::new(),
+        };
+
+        format!(
+          r#"@echo off
+rem Wait for the current process to exit
+:wait_loop
+tasklist /fi "PID eq {pid}" >nul 2>&1
+if %errorlevel% equ 0 (
+    timeout /t 1 /nobreak >nul
+    goto wait_loop
+)
+
+rem Wait a bit more to ensure clean exit
+timeout /t 2 /nobreak >nul
+
+rem Run the installer
+{install_cmd}
+
+rem Wait for installation to complete
+timeout /t 3 /nobreak >nul
+
+rem Start the new application
+start "" "{app_path}"
+
+rem Clean up installer temp files
+rmdir /s /q "{update_temp}"
+
+rem Clean up this script
+del "%~f0"
+"#,
+          pid = current_pid,
+          install_cmd = install_cmd,
+          app_path = app_path.to_str().unwrap(),
+          update_temp = update_temp_dir.to_str().unwrap(),
+        )
+      } else {
+        format!(
+          r#"@echo off
 rem Wait for the current process to exit
 :wait_loop
 tasklist /fi "PID eq {}" >nul 2>&1
@@ -1443,24 +1518,20 @@ start "" "{}"
 rem Clean up this script
 del "%~f0"
 "#,
-        current_pid,
-        app_path.to_str().unwrap()
-      );
+          current_pid,
+          app_path.to_str().unwrap()
+        )
+      };

-      // Write the script to file
      fs::write(&script_path, script_content)?;

-      // Execute the restart script in the background
      let mut cmd = Command::new("cmd");
      cmd.args(["/C", script_path.to_str().unwrap()]);

-      // Start the process detached
      let _child = cmd.spawn()?;

-      // Give the script a moment to start
      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;

-      // Exit the current process
      std::process::exit(0);
    }

@@ -1698,15 +1769,10 @@ mod tests {
        browser_download_url: "https://example.com/x64.dmg".to_string(),
        size: 12345,
      },
-      // Windows assets
+      // Windows assets (NSIS naming: _ARCH-setup.exe)
      AppReleaseAsset {
-        name: "Donut.Browser_0.1.0_x64.msi".to_string(),
-        browser_download_url: "https://example.com/x64.msi".to_string(),
-        size: 12345,
-      },
-      AppReleaseAsset {
-        name: "Donut.Browser_0.1.0_x64.exe".to_string(),
-        browser_download_url: "https://example.com/x64.exe".to_string(),
+        name: "Donut_0.1.0_x64-setup.exe".to_string(),
+        browser_download_url: "https://example.com/x64-setup.exe".to_string(),
        size: 12345,
      },
      // Linux assets
@@ -1928,4 +1994,5 @@ mod tests {
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref APP_AUTO_UPDATER: AppAutoUpdater = AppAutoUpdater::new();
+  static ref PENDING_INSTALLER_PATH: std::sync::Mutex<Option<PathBuf>> = std::sync::Mutex::new(None);
 }
@@ -0,0 +1,195 @@
+use directories::BaseDirs;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+
+static BASE_DIRS: OnceLock<BaseDirs> = OnceLock::new();
+
+fn base_dirs() -> &'static BaseDirs {
+  BASE_DIRS.get_or_init(|| BaseDirs::new().expect("Failed to get base directories"))
+}
+
+pub fn app_name() -> &'static str {
+  if cfg!(debug_assertions) {
+    "DonutBrowserDev"
+  } else {
+    "DonutBrowser"
+  }
+}
+
+pub fn data_dir() -> PathBuf {
+  #[cfg(test)]
+  {
+    if let Some(dir) = TEST_DATA_DIR.with(|cell| cell.borrow().clone()) {
+      return dir;
+    }
+  }
+
+  if let Ok(dir) = std::env::var("DONUTBROWSER_DATA_DIR") {
+    return PathBuf::from(dir);
+  }
+
+  base_dirs().data_local_dir().join(app_name())
+}
+
+pub fn cache_dir() -> PathBuf {
+  #[cfg(test)]
+  {
+    if let Some(dir) = TEST_CACHE_DIR.with(|cell| cell.borrow().clone()) {
+      return dir;
+    }
+  }
+
+  if let Ok(dir) = std::env::var("DONUTBROWSER_CACHE_DIR") {
+    return PathBuf::from(dir);
+  }
+
+  base_dirs().cache_dir().join(app_name())
+}
+
+pub fn profiles_dir() -> PathBuf {
+  data_dir().join("profiles")
+}
+
+pub fn binaries_dir() -> PathBuf {
+  data_dir().join("binaries")
+}
+
+pub fn data_subdir() -> PathBuf {
+  data_dir().join("data")
+}
+
+pub fn settings_dir() -> PathBuf {
+  data_dir().join("settings")
+}
+
+pub fn proxies_dir() -> PathBuf {
+  data_dir().join("proxies")
+}
+
+pub fn vpn_dir() -> PathBuf {
+  data_dir().join("vpn")
+}
+
+pub fn extensions_dir() -> PathBuf {
+  data_dir().join("extensions")
+}
+
+#[cfg(test)]
+thread_local! {
+  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
+  static TEST_CACHE_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
+}
+
+#[cfg(test)]
+pub struct TestDirGuard {
+  kind: TestDirKind,
+}
+
+#[cfg(test)]
+enum TestDirKind {
+  Data,
+  Cache,
+}
+
+#[cfg(test)]
+impl Drop for TestDirGuard {
+  fn drop(&mut self) {
+    match self.kind {
+      TestDirKind::Data => TEST_DATA_DIR.with(|cell| *cell.borrow_mut() = None),
+      TestDirKind::Cache => TEST_CACHE_DIR.with(|cell| *cell.borrow_mut() = None),
+    }
+  }
+}
+
+#[cfg(test)]
+pub fn set_test_data_dir(dir: PathBuf) -> TestDirGuard {
+  TEST_DATA_DIR.with(|cell| *cell.borrow_mut() = Some(dir));
+  TestDirGuard {
+    kind: TestDirKind::Data,
+  }
+}
+
+#[cfg(test)]
+pub fn set_test_cache_dir(dir: PathBuf) -> TestDirGuard {
+  TEST_CACHE_DIR.with(|cell| *cell.borrow_mut() = Some(dir));
+  TestDirGuard {
+    kind: TestDirKind::Cache,
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_app_name() {
+    let name = app_name();
+    assert!(
+      name == "DonutBrowser" || name == "DonutBrowserDev",
+      "app_name should be DonutBrowser or DonutBrowserDev, got: {name}"
+    );
+  }
+
+  #[test]
+  fn test_data_dir_returns_path() {
+    let dir = data_dir();
+    assert!(
+      dir.to_string_lossy().contains(app_name()),
+      "data_dir should contain app_name"
+    );
+  }
+
+  #[test]
+  fn test_cache_dir_returns_path() {
+    let dir = cache_dir();
+    assert!(
+      dir.to_string_lossy().contains(app_name()),
+      "cache_dir should contain app_name"
+    );
+  }
+
+  #[test]
+  fn test_subdirectory_helpers() {
+    assert!(profiles_dir().ends_with("profiles"));
+    assert!(binaries_dir().ends_with("binaries"));
+    assert!(data_subdir().ends_with("data"));
+    assert!(settings_dir().ends_with("settings"));
+    assert!(proxies_dir().ends_with("proxies"));
+    assert!(vpn_dir().ends_with("vpn"));
+    assert!(extensions_dir().ends_with("extensions"));
+  }
+
+  #[test]
+  fn test_set_test_data_dir() {
+    let tmp = PathBuf::from("/tmp/test-donut-data");
+    let _guard = set_test_data_dir(tmp.clone());
+    assert_eq!(data_dir(), tmp);
+    assert_eq!(profiles_dir(), tmp.join("profiles"));
+    assert_eq!(binaries_dir(), tmp.join("binaries"));
+  }
+
+  #[test]
+  fn test_set_test_cache_dir() {
+    let tmp = PathBuf::from("/tmp/test-donut-cache");
+    let _guard = set_test_cache_dir(tmp.clone());
+    assert_eq!(cache_dir(), tmp);
+  }
+
+  #[test]
+  fn test_guard_cleanup() {
+    let original_data = data_dir();
+    let original_cache = cache_dir();
+
+    {
+      let _guard = set_test_data_dir(PathBuf::from("/tmp/test-cleanup-data"));
+      assert_eq!(data_dir(), PathBuf::from("/tmp/test-cleanup-data"));
+    }
+    assert_eq!(data_dir(), original_data);
+
+    {
+      let _guard = set_test_cache_dir(PathBuf::from("/tmp/test-cleanup-cache"));
+      assert_eq!(cache_dir(), PathBuf::from("/tmp/test-cleanup-cache"));
+    }
+    assert_eq!(cache_dir(), original_cache);
+  }
+}
@@ -61,6 +61,10 @@ impl AutoUpdater {
    let mut browser_profiles: HashMap<String, Vec<BrowserProfile>> = HashMap::new();

    for profile in profiles {
+      if profile.is_cross_os() {
+        continue;
+      }
+
      // Only check supported browsers
      if !self
        .browser_version_manager
@@ -313,6 +317,10 @@ impl AutoUpdater {
    // Find all profiles for this browser that should be updated
    for profile in profiles {
      if profile.browser == browser {
+        if profile.is_cross_os() {
+          continue;
+        }
+
        // Check if profile is currently running
        if profile.process_id.is_some() {
          continue; // Skip running profiles
@@ -362,15 +370,6 @@ impl AutoUpdater {
    Ok(updated_profiles)
  }

-  /// Check if browser is disabled due to ongoing update
-  pub fn is_browser_disabled(
-    &self,
-    browser: &str,
-  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
-    let state = self.load_auto_update_state()?;
-    Ok(state.disabled_browsers.contains(browser))
-  }
-
  /// Dismiss update notification
  pub fn dismiss_update_notification(
    &self,
@@ -511,6 +510,7 @@ mod tests {
      version: version.to_string(),
      process_id: None,
      proxy_id: None,
+      vpn_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
      camoufox_config: None,
@@ -518,8 +518,15 @@ mod tests {
      group_id: None,
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: None,
+      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    }
  }

@@ -16,12 +16,32 @@ use serde::{Deserialize, Serialize};
 use tao::event::{Event, StartCause};
 use tao::event_loop::{ControlFlow, EventLoopBuilder};
 use tokio::runtime::Runtime;
-use tray_icon::{MouseButton, TrayIcon, TrayIconEvent};
+use tray_icon::TrayIcon;
+#[cfg(not(target_os = "macos"))]
+use tray_icon::{MouseButton, TrayIconEvent};

 use donutbrowser_lib::daemon::{autostart, services, tray};

 static SHOULD_QUIT: AtomicBool = AtomicBool::new(false);

+#[cfg(windows)]
+fn win_process_exists(pid: u32) -> bool {
+  const PROCESS_QUERY_LIMITED_INFORMATION: u32 = 0x1000;
+
+  extern "system" {
+    fn OpenProcess(dwDesiredAccess: u32, bInheritHandles: i32, dwProcessId: u32) -> *mut ();
+    fn CloseHandle(hObject: *mut ()) -> i32;
+  }
+
+  let handle = unsafe { OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid) };
+  if handle.is_null() {
+    false
+  } else {
+    unsafe { CloseHandle(handle) };
+    true
+  }
+}
+
 enum ServiceStatus {
  Ready {
    api_port: Option<u16>,
@@ -173,6 +193,41 @@ fn run_daemon() {
  // Store tray icon in Option - created after event loop starts
  let mut tray_icon: Option<TrayIcon> = None;

+  // Install signal handlers so SIGTERM/SIGINT trigger graceful shutdown
+  #[cfg(unix)]
+  unsafe {
+    extern "C" fn signal_handler(_sig: libc::c_int) {
+      SHOULD_QUIT.store(true, std::sync::atomic::Ordering::SeqCst);
+    }
+    libc::signal(
+      libc::SIGTERM,
+      signal_handler as *const () as libc::sighandler_t,
+    );
+    libc::signal(
+      libc::SIGINT,
+      signal_handler as *const () as libc::sighandler_t,
+    );
+  }
+
+  #[cfg(windows)]
+  {
+    extern "system" {
+      fn SetConsoleCtrlHandler(
+        handler: Option<unsafe extern "system" fn(u32) -> i32>,
+        add: i32,
+      ) -> i32;
+    }
+
+    unsafe extern "system" fn ctrl_handler(_ctrl_type: u32) -> i32 {
+      SHOULD_QUIT.store(true, std::sync::atomic::Ordering::SeqCst);
+      1 // TRUE
+    }
+
+    unsafe {
+      SetConsoleCtrlHandler(Some(ctrl_handler), 1);
+    }
+  }
+
  // Run the event loop
  event_loop.run(move |event, _, control_flow| {
    // Use WaitUntil to check for menu events periodically while staying low on CPU
@@ -222,15 +277,15 @@ fn run_daemon() {

        // Process menu events
        while let Ok(event) = menu_channel.try_recv() {
-          if event.id == tray_menu.open_item.id() {
-            tray::open_gui();
-          } else if event.id == tray_menu.quit_item.id() {
+          if event.id == tray_menu.quit_item.id() {
            log::info!("[daemon] Quit requested");
            SHOULD_QUIT.store(true, Ordering::SeqCst);
          }
        }

        // Handle tray icon click (left-click opens the app)
+        // On macOS, left-click already shows the menu, so don't also launch the GUI.
+        #[cfg(not(target_os = "macos"))]
        while let Ok(event) = TrayIconEvent::receiver().try_recv() {
          if let TrayIconEvent::Click {
            button: MouseButton::Left,
@@ -243,12 +298,37 @@ fn run_daemon() {

        // Use swap to only run cleanup once
        if SHOULD_QUIT.swap(false, Ordering::SeqCst) {
-          // Cleanup
+          // Remove tray icon from status bar immediately so the UI feels responsive
+          tray_icon = None;
+
+          tray::quit_gui();
+
          let mut state = read_state();
          state.daemon_pid = None;
          let _ = write_state(&state);
          log::info!("[daemon] Exiting");
-          *control_flow = ControlFlow::Exit;
+
+          // Use process::exit for immediate termination instead of ControlFlow::Exit.
+          // ControlFlow::Exit can delay because tao's macOS event loop defers exit,
+          // and dropping the tokio runtime blocks until all spawned tasks finish.
+          process::exit(0);
+        }
+      }
+      Event::Reopen { .. } => {
+        tray::open_gui();
+
+        // Re-hide daemon from Dock. macOS activates the daemon (making it
+        // visible) when the user clicks the Dock icon, overriding the
+        // Accessory policy set at init.
+        #[cfg(target_os = "macos")]
+        {
+          use objc2::MainThreadMarker;
+          use objc2_app_kit::{NSApplication, NSApplicationActivationPolicy};
+
+          if let Some(mtm) = MainThreadMarker::new() {
+            let app = NSApplication::sharedApplication(mtm);
+            app.setActivationPolicy(NSApplicationActivationPolicy::Accessory);
+          }
        }
      }
      _ => {}
@@ -266,6 +346,32 @@ fn stop_daemon() {
  let state = read_state();

  if let Some(pid) = state.daemon_pid {
+    // On Windows, taskkill /F kills instantly with no handler, so kill GUI first
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      use std::process::Command;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+      let state_path = get_state_path();
+      if let Ok(content) = fs::read_to_string(&state_path) {
+        if let Ok(val) = serde_json::from_str::<serde_json::Value>(&content) {
+          if let Some(gui_pid) = val.get("gui_pid").and_then(|v| v.as_u64()) {
+            let _ = Command::new("taskkill")
+              .args(["/PID", &gui_pid.to_string(), "/F"])
+              .creation_flags(CREATE_NO_WINDOW)
+              .output();
+          }
+        }
+      }
+
+      let _ = Command::new("taskkill")
+        .args(["/PID", &pid.to_string(), "/F"])
+        .creation_flags(CREATE_NO_WINDOW)
+        .output();
+      eprintln!("Sent stop signal to daemon (PID {})", pid);
+    }
+
    #[cfg(unix)]
    {
      unsafe {
@@ -273,15 +379,6 @@ fn stop_daemon() {
      }
      eprintln!("Sent stop signal to daemon (PID {})", pid);
    }
-
-    #[cfg(windows)]
-    {
-      use std::process::Command;
-      let _ = Command::new("taskkill")
-        .args(["/PID", &pid.to_string(), "/F"])
-        .output();
-      eprintln!("Sent stop signal to daemon (PID {})", pid);
-    }
  } else {
    eprintln!("Daemon is not running");
  }
@@ -295,15 +392,7 @@ fn show_status() {
    let is_running = unsafe { libc::kill(pid as i32, 0) == 0 };

    #[cfg(windows)]
-    let is_running = {
-      use std::process::Command;
-      let output = Command::new("tasklist")
-        .args(["/FI", &format!("PID eq {}", pid)])
-        .output();
-      output
-        .map(|o| String::from_utf8_lossy(&o.stdout).contains(&pid.to_string()))
-        .unwrap_or(false)
-    };
+    let is_running = win_process_exists(pid);

    #[cfg(not(any(unix, windows)))]
    let is_running = false;
@@ -357,10 +446,6 @@ fn main() {

  match args[1].as_str() {
    "start" => {
-      // "start" is now an alias for "run"
-      // On macOS, the daemon should be started via launchctl (see daemon_spawn.rs)
-      // This command is kept for backward compatibility
-      eprintln!("Starting daemon...");
      run_daemon();
    }
    "stop" => {
@@ -147,6 +147,11 @@ async fn main() {
              Arg::new("profile-id")
                .long("profile-id")
                .help("ID of the profile this proxy is associated with"),
+            )
+            .arg(
+              Arg::new("bypass-rules")
+                .long("bypass-rules")
+                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
            ),
        )
        .subcommand(
@@ -172,6 +177,24 @@ async fn main() {
        )
        .arg(Arg::new("action").required(true).help("Action (start)")),
    )
+    .subcommand(
+      Command::new("vpn-worker")
+        .about("Run a VPN worker process (internal use)")
+        .arg(
+          Arg::new("id")
+            .long("id")
+            .required(true)
+            .help("VPN worker configuration ID"),
+        )
+        .arg(
+          Arg::new("port")
+            .long("port")
+            .value_parser(clap::value_parser!(u16))
+            .required(true)
+            .help("Local SOCKS5 port"),
+        )
+        .arg(Arg::new("action").required(true).help("Action (start)")),
+    )
    .get_matches();

  if let Some(proxy_matches) = matches.subcommand_matches("proxy") {
@@ -199,8 +222,12 @@ async fn main() {

      let port = start_matches.get_one::<u16>("port").copied();
      let profile_id = start_matches.get_one::<String>("profile-id").cloned();
+      let bypass_rules: Vec<String> = start_matches
+        .get_one::<String>("bypass-rules")
+        .and_then(|s| serde_json::from_str(s).ok())
+        .unwrap_or_default();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id).await {
+      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -333,6 +360,107 @@ async fn main() {
      log::error!("Invalid action for proxy-worker. Use 'start'");
      process::exit(1);
    }
+  } else if let Some(vpn_matches) = matches.subcommand_matches("vpn-worker") {
+    let id = vpn_matches.get_one::<String>("id").expect("id is required");
+    let action = vpn_matches
+      .get_one::<String>("action")
+      .expect("action is required");
+    let port = *vpn_matches
+      .get_one::<u16>("port")
+      .expect("port is required");
+
+    if action == "start" {
+      set_high_priority();
+
+      log::info!("VPN worker starting, config id: {}", id);
+      log::info!("Process PID: {}", std::process::id());
+
+      // Retry config loading to handle file system race condition
+      let config = {
+        let mut attempts = 0;
+        loop {
+          if let Some(config) = donutbrowser_lib::vpn_worker_storage::get_vpn_worker_config(id) {
+            log::info!(
+              "Found VPN worker config: id={}, vpn_type={}, vpn_id={}",
+              config.id,
+              config.vpn_type,
+              config.vpn_id
+            );
+            break config;
+          }
+          attempts += 1;
+          if attempts >= 10 {
+            log::error!(
+              "VPN worker configuration {} not found after {} attempts",
+              id,
+              attempts
+            );
+            process::exit(1);
+          }
+          log::info!(
+            "VPN worker config {} not found yet, retrying ({}/10)...",
+            id,
+            attempts
+          );
+          std::thread::sleep(std::time::Duration::from_millis(50));
+        }
+      };
+
+      // Read the decrypted VPN config from the temp file
+      let vpn_config_data = match std::fs::read_to_string(&config.config_file_path) {
+        Ok(data) => data,
+        Err(e) => {
+          log::error!(
+            "Failed to read VPN config file {}: {}",
+            config.config_file_path,
+            e
+          );
+          process::exit(1);
+        }
+      };
+
+      match config.vpn_type.as_str() {
+        "wireguard" => {
+          let wg_config = match donutbrowser_lib::vpn::parse_wireguard_config(&vpn_config_data) {
+            Ok(c) => c,
+            Err(e) => {
+              log::error!("Failed to parse WireGuard config: {}", e);
+              process::exit(1);
+            }
+          };
+
+          let server =
+            donutbrowser_lib::vpn::socks5_server::WireGuardSocks5Server::new(wg_config, port);
+          if let Err(e) = server.run(id.clone()).await {
+            log::error!("VPN worker failed: {}", e);
+            process::exit(1);
+          }
+        }
+        "openvpn" => {
+          let ovpn_config = match donutbrowser_lib::vpn::parse_openvpn_config(&vpn_config_data) {
+            Ok(c) => c,
+            Err(e) => {
+              log::error!("Failed to parse OpenVPN config: {}", e);
+              process::exit(1);
+            }
+          };
+
+          let server =
+            donutbrowser_lib::vpn::openvpn_socks5::OpenVpnSocks5Server::new(ovpn_config, port);
+          if let Err(e) = server.run(id.clone()).await {
+            log::error!("VPN worker failed: {}", e);
+            process::exit(1);
+          }
+        }
+        other => {
+          log::error!("Unknown VPN type: {}", other);
+          process::exit(1);
+        }
+      }
+    } else {
+      log::error!("Invalid action for vpn-worker. Use 'start'");
+      process::exit(1);
+    }
  } else {
    log::error!("No command specified");
    process::exit(1);
@@ -612,7 +612,7 @@ mod windows {
    if let Ok(entries) = std::fs::read_dir(install_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
-        if path.extension().is_some_and(|ext| ext == "exe") {
+        if path.extension().is_some_and(|ext| ext == "exe") && is_pe_executable(&path) {
          let name = path
            .file_stem()
            .unwrap_or_default()
@@ -716,7 +716,7 @@ mod windows {
      for entry in entries.flatten() {
        let path = entry.path();

-        if path.extension().is_some_and(|ext| ext == "exe") {
+        if path.extension().is_some_and(|ext| ext == "exe") && is_pe_executable(&path) {
          let name = path
            .file_stem()
            .unwrap_or_default()
@@ -1185,6 +1185,22 @@ impl BrowserFactory {
  }
 }

+/// Check if a file is a valid PE executable by reading its magic bytes (MZ).
+/// Returns false for archive files (.zip starts with PK, etc.) that were
+/// incorrectly named with a .exe extension.
+#[cfg(target_os = "windows")]
+fn is_pe_executable(path: &Path) -> bool {
+  use std::io::Read;
+  let Ok(mut file) = std::fs::File::open(path) else {
+    return false;
+  };
+  let mut magic = [0u8; 2];
+  if file.read_exact(&mut magic).is_err() {
+    return false;
+  }
+  magic == [0x4D, 0x5A] // MZ
+}
+
 // Factory function to create browser instances (kept for backward compatibility)
 pub fn create_browser(browser_type: BrowserType) -> Box<dyn Browser> {
  BrowserFactory::instance().create_browser(browser_type)
@@ -1,18 +1,17 @@
 use crate::browser::{create_browser, BrowserType, ProxySettings};
 use crate::camoufox_manager::{CamoufoxConfig, CamoufoxManager};
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
 use crate::events;
 use crate::platform_browser;
 use crate::profile::{BrowserProfile, ProfileManager};
 use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::{WayfernConfig, WayfernManager};
-use directories::BaseDirs;
 use serde::Serialize;
 use std::path::PathBuf;
 use std::time::{SystemTime, UNIX_EPOCH};
 use sysinfo::System;
 pub struct BrowserRunner {
-  base_dirs: BaseDirs,
  pub profile_manager: &'static ProfileManager,
  pub downloaded_browsers_registry: &'static DownloadedBrowsersRegistry,
  auto_updater: &'static crate::auto_updater::AutoUpdater,
@@ -23,7 +22,6 @@ pub struct BrowserRunner {
 impl BrowserRunner {
  fn new() -> Self {
    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      profile_manager: ProfileManager::instance(),
      downloaded_browsers_registry: DownloadedBrowsersRegistry::instance(),
      auto_updater: crate::auto_updater::AutoUpdater::instance(),
@@ -37,14 +35,18 @@ impl BrowserRunner {
  }

  pub fn get_binaries_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("binaries");
-    path
+    crate::app_dirs::binaries_dir()
+  }
+
+  /// Refresh cloud proxy credentials if the profile uses a cloud or cloud-derived proxy,
+  /// then resolve the proxy settings.
+  async fn resolve_proxy_with_refresh(&self, proxy_id: Option<&String>) -> Option<ProxySettings> {
+    let proxy_id = proxy_id?;
+    if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
+      log::info!("Refreshing cloud proxy credentials before launch for proxy {proxy_id}");
+      CLOUD_AUTH.sync_cloud_proxy().await;
+    }
+    PROXY_MANAGER.get_proxy_settings_by_id(proxy_id)
  }

  /// Get the executable path for a browser profile
@@ -90,17 +92,6 @@ impl BrowserRunner {
    remote_debugging_port: Option<u16>,
    headless: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
-    // Check if browser is disabled due to ongoing update
-    if self.auto_updater.is_browser_disabled(&profile.browser)? {
-      return Err(
-        format!(
-          "{} is currently being updated. Please wait for the update to complete.",
-          profile.browser
-        )
-        .into(),
-      );
-    }
-
    // Handle Camoufox profiles using CamoufoxManager
    if profile.browser == "camoufox" {
      // Get or create camoufox config
@@ -113,10 +104,33 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Camoufox (for traffic monitoring and geoip support)
-      let upstream_proxy = profile
-        .proxy_id
-        .as_ref()
-        .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+      // Refresh cloud proxy credentials if needed before resolving
+      let mut upstream_proxy = self
+        .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+        .await;
+
+      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
+      if upstream_proxy.is_none() {
+        if let Some(ref vpn_id) = profile.vpn_id {
+          match crate::vpn_worker_runner::start_vpn_worker(vpn_id).await {
+            Ok(vpn_worker) => {
+              if let Some(port) = vpn_worker.local_port {
+                upstream_proxy = Some(ProxySettings {
+                  proxy_type: "socks5".to_string(),
+                  host: "127.0.0.1".to_string(),
+                  port,
+                  username: None,
+                  password: None,
+                });
+                log::info!("VPN worker started for Camoufox profile on port {}", port);
+              }
+            }
+            Err(e) => {
+              return Err(format!("Failed to start VPN worker: {e}").into());
+            }
+          }
+        }
+      }

      log::info!(
        "Starting local proxy for Camoufox profile: {} (upstream: {})",
@@ -136,6 +150,7 @@ impl BrowserRunner {
          upstream_proxy.as_ref(),
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
+          profile.proxy_bypass_rules.clone(),
        )
        .await
        .map_err(|e| {
@@ -208,6 +223,40 @@ impl BrowserRunner {
        );
      }

+      // Create ephemeral dir for ephemeral profiles
+      let override_profile_path = if profile.ephemeral {
+        let dir = crate::ephemeral_dirs::create_ephemeral_dir(&profile.id.to_string())
+          .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;
+        Some(dir)
+      } else {
+        None
+      };
+
+      // Install extensions if an extension group is assigned
+      if updated_profile.extension_group_id.is_some() {
+        let profiles_dir = self.profile_manager.get_profiles_dir();
+        let ext_profile_path = if let Some(ref override_path) = override_profile_path {
+          override_path.clone()
+        } else {
+          updated_profile.get_profile_data_path(&profiles_dir)
+        };
+        let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+        match mgr.install_extensions_for_profile(&updated_profile, &ext_profile_path) {
+          Ok(paths) => {
+            if !paths.is_empty() {
+              log::info!(
+                "Installed {} Firefox extensions for profile: {}",
+                paths.len(),
+                updated_profile.name
+              );
+            }
+          }
+          Err(e) => {
+            log::warn!("Failed to install extensions for Camoufox profile: {e}");
+          }
+        }
+      }
+
      // Launch Camoufox browser
      log::info!("Launching Camoufox for profile: {}", profile.name);
      let camoufox_result = self
@@ -217,6 +266,7 @@ impl BrowserRunner {
          updated_profile.clone(),
          camoufox_config,
          url,
+          override_profile_path,
        )
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
@@ -312,10 +362,33 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Wayfern (for traffic monitoring and geoip support)
-      let upstream_proxy = profile
-        .proxy_id
-        .as_ref()
-        .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+      // Refresh cloud proxy credentials if needed before resolving
+      let mut upstream_proxy = self
+        .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+        .await;
+
+      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
+      if upstream_proxy.is_none() {
+        if let Some(ref vpn_id) = profile.vpn_id {
+          match crate::vpn_worker_runner::start_vpn_worker(vpn_id).await {
+            Ok(vpn_worker) => {
+              if let Some(port) = vpn_worker.local_port {
+                upstream_proxy = Some(ProxySettings {
+                  proxy_type: "socks5".to_string(),
+                  host: "127.0.0.1".to_string(),
+                  port,
+                  username: None,
+                  password: None,
+                });
+                log::info!("VPN worker started for Wayfern profile on port {}", port);
+              }
+            }
+            Err(e) => {
+              return Err(format!("Failed to start VPN worker: {e}").into());
+            }
+          }
+        }
+      }

      log::info!(
        "Starting local proxy for Wayfern profile: {} (upstream: {})",
@@ -335,6 +408,7 @@ impl BrowserRunner {
          upstream_proxy.as_ref(),
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
+          profile.proxy_bypass_rules.clone(),
        )
        .await
        .map_err(|e| {
@@ -397,14 +471,42 @@ impl BrowserRunner {
        );
      }

+      // Create ephemeral dir for ephemeral profiles
+      if profile.ephemeral {
+        crate::ephemeral_dirs::create_ephemeral_dir(&profile.id.to_string())
+          .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;
+      }
+
      // Launch Wayfern browser
      log::info!("Launching Wayfern for profile: {}", profile.name);

      // Get profile path for Wayfern
      let profiles_dir = self.profile_manager.get_profiles_dir();
-      let profile_data_path = updated_profile.get_profile_data_path(&profiles_dir);
+      let profile_data_path =
+        crate::ephemeral_dirs::get_effective_profile_path(&updated_profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy().to_string();

+      // Install extensions if an extension group is assigned
+      let mut extension_paths = Vec::new();
+      if updated_profile.extension_group_id.is_some() {
+        let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+        match mgr.install_extensions_for_profile(&updated_profile, &profile_data_path) {
+          Ok(paths) => {
+            if !paths.is_empty() {
+              log::info!(
+                "Prepared {} Chromium extensions for profile: {}",
+                paths.len(),
+                updated_profile.name
+              );
+            }
+            extension_paths = paths;
+          }
+          Err(e) => {
+            log::warn!("Failed to install extensions for Wayfern profile: {e}");
+          }
+        }
+      }
+
      // Get proxy URL from config
      let proxy_url = wayfern_config.proxy.as_deref();

@@ -417,6 +519,8 @@ impl BrowserRunner {
          &wayfern_config,
          url.as_deref(),
          proxy_url,
+          profile.ephemeral,
+          &extension_paths,
        )
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
@@ -516,11 +620,10 @@ impl BrowserRunner {
      // Continue anyway, the error might not be critical
    }

-    // Get stored proxy settings for later use (removed as we handle this in proxy startup)
-    let _stored_proxy_settings = profile
-      .proxy_id
-      .as_ref()
-      .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+    // Refresh cloud proxy credentials if needed before resolving
+    let _stored_proxy_settings = self
+      .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+      .await;

    // Use provided local proxy for Chromium-based browsers launch arguments
    let proxy_for_launch_args: Option<&ProxySettings> = local_proxy_settings;
@@ -749,7 +852,8 @@ impl BrowserRunner {
    if profile.browser == "camoufox" {
      // Get the profile path based on the UUID
      let profiles_dir = self.profile_manager.get_profiles_dir();
-      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_data_path =
+        crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy();

      // Check if the process is running
@@ -803,7 +907,8 @@ impl BrowserRunner {
    // Handle Wayfern profiles using WayfernManager
    if profile.browser == "wayfern" {
      let profiles_dir = self.profile_manager.get_profiles_dir();
-      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_data_path =
+        crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy();

      // Check if the process is running
@@ -988,6 +1093,7 @@ impl BrowserRunner {
        upstream_proxy.as_ref(),
        temp_pid,
        Some(&profile_id_str),
+        profile.proxy_bypass_rules.clone(),
      )
      .await
      .map_err(|e| {
@@ -1201,7 +1307,8 @@ impl BrowserRunner {
    if profile.browser == "camoufox" {
      // Search by profile path to find the running Camoufox instance
      let profiles_dir = self.profile_manager.get_profiles_dir();
-      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_data_path =
+        crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy();

      log::info!(
@@ -1294,7 +1401,11 @@ impl BrowserRunner {
                    #[cfg(target_os = "linux")]
                    {
                      use crate::platform_browser;
-                      if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await
+                      if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                        pid,
+                        Some(&profile_path_str),
+                      )
+                      .await
                      {
                        log::error!("Failed to force kill Camoufox process {}: {}", pid, e);
                      } else {
@@ -1375,7 +1486,12 @@ impl BrowserRunner {
                  #[cfg(target_os = "linux")]
                  {
                    use crate::platform_browser;
-                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await {
+                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                      pid,
+                      Some(&profile_path_str),
+                    )
+                    .await
+                    {
                      log::error!("Failed to force kill Camoufox process {}: {}", pid, e);
                    } else {
                      // Verify the process is actually dead after force kill
@@ -1463,7 +1579,8 @@ impl BrowserRunner {
                {
                  use crate::platform_browser;
                  if let Err(kill_err) =
-                    platform_browser::linux::kill_browser_process_impl(pid).await
+                    platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str))
+                      .await
                  {
                    log::error!(
                      "Failed to force kill Camoufox process {}: {}",
@@ -1619,6 +1736,10 @@ impl BrowserRunner {
        );
      }

+      if profile.ephemeral {
+        crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+      }
+
      log::info!(
        "Camoufox process cleanup completed for profile: {} (ID: {})",
        profile.name,
@@ -1644,7 +1765,8 @@ impl BrowserRunner {
    // Handle Wayfern profiles using WayfernManager
    if profile.browser == "wayfern" {
      let profiles_dir = self.profile_manager.get_profiles_dir();
-      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_data_path =
+        crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy();

      log::info!(
@@ -1728,7 +1850,12 @@ impl BrowserRunner {
                  #[cfg(target_os = "linux")]
                  {
                    use crate::platform_browser;
-                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await {
+                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                      pid,
+                      Some(&profile_path_str),
+                    )
+                    .await
+                    {
                      log::error!("Failed to force kill Wayfern process {}: {}", pid, e);
                    } else {
                      sleep(Duration::from_millis(500)).await;
@@ -1799,7 +1926,8 @@ impl BrowserRunner {
                {
                  use crate::platform_browser;
                  if let Err(kill_err) =
-                    platform_browser::linux::kill_browser_process_impl(pid).await
+                    platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str))
+                      .await
                  {
                    log::error!("Failed to force kill Wayfern process {}: {}", pid, kill_err);
                  } else {
@@ -1937,6 +2065,10 @@ impl BrowserRunner {
        );
      }

+      if profile.ephemeral {
+        crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+      }
+
      log::info!(
        "Wayfern process cleanup completed for profile: {} (ID: {})",
        profile.name,
@@ -2092,7 +2224,12 @@ impl BrowserRunner {
    platform_browser::windows::kill_browser_process_impl(pid).await?;

    #[cfg(target_os = "linux")]
-    platform_browser::linux::kill_browser_process_impl(pid).await?;
+    {
+      let profiles_dir = self.profile_manager.get_profiles_dir();
+      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_path_str = profile_data_path.to_string_lossy().to_string();
+      platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str)).await?;
+    }

    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "linux")))]
    return Err("Unsupported platform".into());
@@ -2355,6 +2492,14 @@ impl BrowserRunner {
      .find(|p| p.id.to_string() == profile_id)
      .ok_or_else(|| format!("Profile '{profile_id}' not found"))?;

+    if profile.is_cross_os() {
+      return Err(format!(
+        "Cannot open URL with profile '{}': it was created on {} and is not supported on this system",
+        profile.name,
+        profile.host_os.as_deref().unwrap_or("unknown")
+      ));
+    }
+
    log::info!("Opening URL '{url}' with profile '{profile_id}'");

    // Use launch_or_open_url which handles both launching new instances and opening in existing ones
@@ -2383,6 +2528,17 @@ pub async fn launch_browser_profile(
    profile.id
  );

+  if profile.is_cross_os() {
+    return Err(format!(
+      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      profile.name,
+      profile.host_os.as_deref().unwrap_or("unknown")
+    ));
+  }
+
+  // Team lock check: if profile is sync-enabled and user is on a team, acquire lock
+  crate::team_lock::acquire_team_lock_if_needed(&profile).await?;
+
  let browser_runner = BrowserRunner::instance();

  // Store the internal proxy settings for passing to launch_browser
@@ -2413,11 +2569,34 @@ pub async fn launch_browser_profile(
  // This ensures all traffic goes through the local proxy for monitoring and future features
  if profile.browser != "camoufox" && profile.browser != "wayfern" {
    // Determine upstream proxy if configured; otherwise use DIRECT (no upstream)
-    let upstream_proxy = profile_for_launch
+    let mut upstream_proxy = profile_for_launch
      .proxy_id
      .as_ref()
      .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));

+    // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
+    if upstream_proxy.is_none() {
+      if let Some(ref vpn_id) = profile_for_launch.vpn_id {
+        match crate::vpn_worker_runner::start_vpn_worker(vpn_id).await {
+          Ok(vpn_worker) => {
+            if let Some(port) = vpn_worker.local_port {
+              upstream_proxy = Some(ProxySettings {
+                proxy_type: "socks5".to_string(),
+                host: "127.0.0.1".to_string(),
+                port,
+                username: None,
+                password: None,
+              });
+              log::info!("VPN worker started for profile on port {}", port);
+            }
+          }
+          Err(e) => {
+            return Err(format!("Failed to start VPN worker: {e}"));
+          }
+        }
+      }
+    }
+
    // Use a temporary PID (1) to start the proxy, we'll update it after browser launch
    let temp_pid = 1u32;
    let profile_id_str = profile.id.to_string();
@@ -2430,6 +2609,7 @@ pub async fn launch_browser_profile(
        upstream_proxy.as_ref(),
        temp_pid,
        Some(&profile_id_str),
+        profile_for_launch.proxy_bypass_rules.clone(),
      )
      .await
    {
@@ -2562,6 +2742,56 @@ pub async fn kill_browser_profile(
        profile.name,
        profile.id
      );
+
+      // Release team lock if applicable
+      crate::team_lock::release_team_lock_if_needed(&profile).await;
+
+      // Auto-update non-running profiles and cleanup unused binaries
+      let browser_for_update = profile.browser.clone();
+      let app_handle_for_update = app_handle.clone();
+      tauri::async_runtime::spawn(async move {
+        let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+        let mut versions = registry.get_downloaded_versions(&browser_for_update);
+        if !versions.is_empty() {
+          versions.sort_by(|a, b| crate::api_client::compare_versions(b, a));
+          let latest_version = &versions[0];
+
+          let auto_updater = crate::auto_updater::AutoUpdater::instance();
+          match auto_updater
+            .auto_update_profile_versions(
+              &app_handle_for_update,
+              &browser_for_update,
+              latest_version,
+            )
+            .await
+          {
+            Ok(updated) => {
+              if !updated.is_empty() {
+                log::info!(
+                  "Auto-updated {} profiles after stop: {:?}",
+                  updated.len(),
+                  updated
+                );
+              }
+            }
+            Err(e) => {
+              log::error!("Failed to auto-update profile versions after stop: {e}");
+            }
+          }
+        }
+
+        match registry.cleanup_unused_binaries() {
+          Ok(cleaned) => {
+            if !cleaned.is_empty() {
+              log::info!("Cleaned up unused binaries after stop: {:?}", cleaned);
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to cleanup unused binaries after stop: {e}");
+          }
+        }
+      });
+
      Ok(())
    }
    Err(e) => {
@@ -2595,6 +2825,14 @@ pub async fn launch_browser_profile_with_debugging(
  remote_debugging_port: Option<u16>,
  headless: bool,
 ) -> Result<BrowserProfile, String> {
+  if profile.is_cross_os() {
+    return Err(format!(
+      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      profile.name,
+      profile.host_os.as_deref().unwrap_or("unknown")
+    ));
+  }
+
  let browser_runner = BrowserRunner::instance();
  browser_runner
    .launch_browser_with_debugging(app_handle, &profile, url, remote_debugging_port, headless)
@@ -685,7 +685,7 @@ impl BrowserVersionManager {
          "macos-arm64" | "macos-x64" => (format!("wayfern-{version}-{platform_key}.dmg"), true),
          "linux-x64" | "linux-arm64" => (format!("wayfern-{version}-{platform_key}.tar.xz"), true),
          "windows-x64" | "windows-arm64" => {
-            (format!("wayfern-{version}-{platform_key}.exe"), false)
+            (format!("wayfern-{version}-{platform_key}.zip"), true)
          }
          _ => {
            return Err(
@@ -267,6 +267,7 @@ impl Default for LocaleSelector {
 }

 /// Normalize a locale string to standard format.
+/// Handles formats like "en-US", "zh-Hant-US", "zh-Hans-CN".
 fn normalize_locale(locale: &str) -> Locale {
  let parts: Vec<&str> = locale.split('-').collect();

@@ -275,23 +276,33 @@ fn normalize_locale(locale: &str) -> Locale {
    .map(|s| s.to_lowercase())
    .unwrap_or_else(|| "en".to_string());

-  let region = parts.get(1).map(|s| s.to_uppercase());
+  // A 4-letter part is a script subtag (e.g. "Hant", "Hans", "Cyrl").
+  // A 2-letter or 3-digit part is a region subtag (e.g. "US", "CN").
+  let mut explicit_script: Option<String> = None;
+  let mut region: Option<String> = None;

-  // Determine script based on language if needed
-  let script = match language.as_str() {
-    "zh" => {
-      // Chinese - Traditional for TW/HK, Simplified otherwise
-      if region.as_deref() == Some("TW") || region.as_deref() == Some("HK") {
-        Some("Hant".to_string())
-      } else {
-        Some("Hans".to_string())
+  for part in parts.iter().skip(1) {
+    if part.len() == 4 && part.chars().all(|c| c.is_ascii_alphabetic()) {
+      explicit_script = Some(part[..1].to_uppercase() + &part[1..].to_lowercase());
+    } else {
+      region = Some(part.to_uppercase());
+    }
+  }
+
+  let script = if explicit_script.is_some() {
+    explicit_script
+  } else {
+    match language.as_str() {
+      "zh" => {
+        if region.as_deref() == Some("TW") || region.as_deref() == Some("HK") {
+          Some("Hant".to_string())
+        } else {
+          Some("Hans".to_string())
+        }
      }
+      "sr" => Some("Cyrl".to_string()),
+      _ => None,
    }
-    "sr" => {
-      // Serbian - can be Cyrillic or Latin
-      Some("Cyrl".to_string())
-    }
-    _ => None,
  };

  Locale {
@@ -442,5 +453,16 @@ mod tests {

    let zh_cn = normalize_locale("zh-CN");
    assert_eq!(zh_cn.script, Some("Hans".to_string()));
+
+    // 3-part locale: language-script-region
+    let zh_hant_us = normalize_locale("zh-Hant-US");
+    assert_eq!(zh_hant_us.language, "zh");
+    assert_eq!(zh_hant_us.region, Some("US".to_string()));
+    assert_eq!(zh_hant_us.script, Some("Hant".to_string()));
+
+    let zh_hans_us = normalize_locale("zh-Hans-US");
+    assert_eq!(zh_hans_us.language, "zh");
+    assert_eq!(zh_hans_us.region, Some("US".to_string()));
+    assert_eq!(zh_hans_us.script, Some("Hans".to_string()));
  }
 }
@@ -1,7 +1,6 @@
 use crate::browser_runner::BrowserRunner;
 use crate::camoufox::{CamoufoxConfigBuilder, GeoIPOption, ScreenConstraints};
 use crate::profile::BrowserProfile;
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::PathBuf;
@@ -74,7 +73,6 @@ struct CamoufoxManagerInner {

 pub struct CamoufoxManager {
  inner: Arc<AsyncMutex<CamoufoxManagerInner>>,
-  base_dirs: BaseDirs,
 }

 impl CamoufoxManager {
@@ -83,7 +81,6 @@ impl CamoufoxManager {
      inner: Arc::new(AsyncMutex::new(CamoufoxManagerInner {
        instances: HashMap::new(),
      })),
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
    }
  }

@@ -92,14 +89,7 @@ impl CamoufoxManager {
  }

  pub fn get_profiles_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("profiles");
-    path
+    crate::app_dirs::profiles_dir()
  }

  /// Generate Camoufox fingerprint configuration during profile creation
@@ -111,7 +101,15 @@ impl CamoufoxManager {
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    // Get executable path
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -204,7 +202,15 @@ impl CamoufoxManager {

    // Get executable path
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -360,8 +366,11 @@ impl CamoufoxManager {

    #[cfg(windows)]
    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
      let result = std::process::Command::new("taskkill")
        .args(["/PID", &pid.to_string(), "/T"])
+        .creation_flags(CREATE_NO_WINDOW)
        .status();

      match result {
@@ -576,10 +585,15 @@ impl CamoufoxManager {
    profile: BrowserProfile,
    config: CamoufoxConfig,
    url: Option<String>,
+    override_profile_path: Option<std::path::PathBuf>,
  ) -> Result<CamoufoxLaunchResult, String> {
    // Get profile path
-    let profiles_dir = self.get_profiles_dir();
-    let profile_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_path = if let Some(ref override_path) = override_profile_path {
+      override_path.clone()
+    } else {
+      let profiles_dir = self.get_profiles_dir();
+      profile.get_profile_data_path(&profiles_dir)
+    };
    let profile_path_str = profile_path.to_string_lossy();

    // Check if there's already a running instance for this profile
@@ -591,6 +605,32 @@ impl CamoufoxManager {
    // Clean up any dead instances before launching
    let _ = self.cleanup_dead_instances().await;

+    // For ephemeral profiles, write Firefox prefs to minimize disk writes
+    if override_profile_path.is_some() {
+      let user_js_path = profile_path.join("user.js");
+      let prefs = concat!(
+        "user_pref(\"browser.cache.disk.enable\", false);\n",
+        "user_pref(\"browser.cache.memory.enable\", true);\n",
+        "user_pref(\"browser.sessionstore.resume_from_crash\", false);\n",
+        "user_pref(\"browser.sessionstore.max_tabs_undo\", 0);\n",
+        "user_pref(\"browser.sessionstore.max_windows_undo\", 0);\n",
+        "user_pref(\"places.history.enabled\", false);\n",
+        "user_pref(\"browser.formfill.enable\", false);\n",
+        "user_pref(\"signon.rememberSignons\", false);\n",
+        "user_pref(\"browser.bookmarks.max_backups\", 0);\n",
+        "user_pref(\"browser.shell.checkDefaultBrowser\", false);\n",
+        "user_pref(\"toolkit.crashreporter.enabled\", false);\n",
+        "user_pref(\"browser.pagethumbnails.capturing_disabled\", true);\n",
+        "user_pref(\"browser.download.manager.addToRecentDocs\", false);\n",
+      );
+      if let Err(e) = std::fs::write(&user_js_path, prefs) {
+        log::warn!("Failed to write ephemeral user.js: {e}");
+      }
+    }
+
+    // Write search.json.mozlz4 with default search engines (DuckDuckGo + Google)
+    write_default_search_config(&profile_path);
+
    self
      .launch_camoufox(
        &app_handle,
@@ -604,6 +644,77 @@ impl CamoufoxManager {
  }
 }

+fn write_default_search_config(profile_path: &std::path::Path) {
+  let search_file = profile_path.join("search.json.mozlz4");
+  if search_file.exists() {
+    return;
+  }
+
+  let json = serde_json::json!({
+    "version": 6,
+    "engines": [
+      {
+        "_name": "DuckDuckGo",
+        "_isAppProvided": false,
+        "_metaData": { "order": 1 },
+        "_urls": [
+          {
+            "template": "https://duckduckgo.com/?q={searchTerms}",
+            "type": "text/html",
+            "params": []
+          },
+          {
+            "template": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
+            "type": "application/x-suggestions+json",
+            "params": []
+          }
+        ],
+        "_iconURL": "https://duckduckgo.com/favicon.ico"
+      },
+      {
+        "_name": "Google",
+        "_isAppProvided": false,
+        "_metaData": { "order": 2 },
+        "_urls": [
+          {
+            "template": "https://www.google.com/search?q={searchTerms}",
+            "type": "text/html",
+            "params": []
+          },
+          {
+            "template": "https://www.google.com/complete/search?client=firefox&q={searchTerms}",
+            "type": "application/x-suggestions+json",
+            "params": []
+          }
+        ],
+        "_iconURL": "https://www.google.com/favicon.ico"
+      }
+    ],
+    "metaData": {
+      "useSavedOrder": false,
+      "defaultEngineId": "DuckDuckGo"
+    }
+  });
+
+  let json_bytes = match serde_json::to_vec(&json) {
+    Ok(bytes) => bytes,
+    Err(e) => {
+      log::warn!("Failed to serialize search config: {e}");
+      return;
+    }
+  };
+
+  let magic = b"mozLz40\0";
+  let compressed = lz4_flex::block::compress_prepend_size(&json_bytes);
+  let mut output = Vec::with_capacity(magic.len() + compressed.len());
+  output.extend_from_slice(magic);
+  output.extend_from_slice(&compressed);
+
+  if let Err(e) = std::fs::write(&search_file, &output) {
+    log::warn!("Failed to write search.json.mozlz4: {e}");
+  }
+}
+
 #[cfg(test)]
 mod tests {
  use super::*;
@@ -37,6 +37,14 @@ pub struct CloudUser {
  pub proxy_bandwidth_limit_mb: i64,
  #[serde(rename = "proxyBandwidthUsedMb")]
  pub proxy_bandwidth_used_mb: i64,
+  #[serde(rename = "proxyBandwidthExtraMb", default)]
+  pub proxy_bandwidth_extra_mb: i64,
+  #[serde(rename = "teamId", default)]
+  pub team_id: Option<String>,
+  #[serde(rename = "teamName", default)]
+  pub team_name: Option<String>,
+  #[serde(rename = "teamRole", default)]
+  pub team_role: Option<String>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -247,7 +255,7 @@ impl CloudAuthManager {
    Self::encrypt_and_store(&path, b"DBCAT", token)
  }

-  fn load_access_token() -> Result<Option<String>, String> {
+  pub(crate) fn load_access_token() -> Result<Option<String>, String> {
    let path = Self::get_settings_dir().join("cloud_access_token.dat");
    Self::decrypt_from_file(&path, b"DBCAT")
  }
@@ -570,6 +578,9 @@ impl CloudAuthManager {
  }

  pub async fn logout(&self) -> Result<(), String> {
+    // Disconnect team lock manager
+    crate::team_lock::TEAM_LOCK.disconnect().await;
+
    // Try to call the logout API (best-effort)
    if let Ok(Some(access_token)) = Self::load_access_token() {
      let refresh_token = Self::load_refresh_token().ok().flatten();
@@ -602,11 +613,46 @@ impl CloudAuthManager {
  pub async fn has_active_paid_subscription(&self) -> bool {
    let state = self.state.lock().await;
    match &*state {
-      Some(auth) => auth.user.plan != "free" && auth.user.subscription_status == "active",
+      Some(auth) => {
+        auth.user.plan != "free"
+          && (auth.user.subscription_status == "active"
+            || auth.user.plan_period.as_deref() == Some("lifetime"))
+      }
      None => false,
    }
  }

+  /// Non-async version that uses try_lock, defaults to false if lock can't be acquired.
+  pub fn has_active_paid_subscription_sync(&self) -> bool {
+    match self.state.try_lock() {
+      Ok(state) => match &*state {
+        Some(auth) => {
+          auth.user.plan != "free"
+            && (auth.user.subscription_status == "active"
+              || auth.user.plan_period.as_deref() == Some("lifetime"))
+        }
+        None => false,
+      },
+      Err(_) => false,
+    }
+  }
+
+  pub async fn is_fingerprint_os_allowed(&self, fingerprint_os: Option<&str>) -> bool {
+    let host_os = crate::profile::types::get_host_os();
+    match fingerprint_os {
+      None => true,
+      Some(os) if os == host_os => true,
+      Some(_) => self.has_active_paid_subscription().await,
+    }
+  }
+
+  pub async fn is_on_team_plan(&self) -> bool {
+    if let Some(state) = self.get_user().await {
+      return state.user.team_id.is_some();
+    }
+    false
+  }
+
  pub async fn get_user(&self) -> Option<CloudAuthState> {
    let state = self.state.lock().await;
    state.clone()
@@ -905,6 +951,13 @@ impl CloudAuthManager {
        log::debug!("Failed to refresh cloud profile: {e}");
      }

+      // Reconnect team lock manager if needed
+      if let Some(auth_state) = CLOUD_AUTH.get_user().await {
+        if let Some(tid) = &auth_state.user.team_id {
+          crate::team_lock::TEAM_LOCK.connect(tid).await;
+        }
+      }
+
      // Sync cloud proxy credentials
      CLOUD_AUTH.sync_cloud_proxy().await;

@@ -948,6 +1001,13 @@ pub async fn cloud_verify_otp(
  // Sync cloud proxy after login
  CLOUD_AUTH.sync_cloud_proxy().await;

+  // Connect team lock manager if on a team plan
+  if state.user.team_id.is_some() {
+    if let Some(tid) = &state.user.team_id {
+      crate::team_lock::TEAM_LOCK.connect(tid).await;
+    }
+  }
+
  let _ = crate::events::emit_empty("cloud-auth-changed");

  let _ = &app_handle;
@@ -1071,6 +1131,12 @@ pub async fn restart_sync_service(app_handle: tauri::AppHandle) -> Result<(), St
          {
            log::warn!("Failed to check for missing profiles: {}", e);
          }
+          if let Err(e) = engine
+            .check_for_missing_synced_entities(&app_handle_sync)
+            .await
+          {
+            log::warn!("Failed to check for missing entities: {}", e);
+          }
        }
        Err(e) => {
          log::debug!("Sync not configured, skipping missing profile check: {}", e);
@@ -2,6 +2,7 @@ use crate::profile::manager::ProfileManager;
 use crate::profile::BrowserProfile;
 use rusqlite::{params, Connection};
 use serde::{Deserialize, Serialize};
+use serde_json::Value;
 use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 use tauri::AppHandle;
@@ -62,6 +63,14 @@ pub struct CookieCopyResult {
  pub errors: Vec<String>,
 }

+/// Result of a cookie import operation
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CookieImportResult {
+  pub cookies_imported: usize,
+  pub cookies_replaced: usize,
+  pub errors: Vec<String>,
+}
+
 pub struct CookieManager;

 impl CookieManager {
@@ -493,4 +502,499 @@ impl CookieManager {

    Ok(results)
  }
+
+  /// Parse Netscape format cookies from text content
+  fn parse_netscape_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let mut cookies = Vec::new();
+    let mut errors = Vec::new();
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs() as i64;
+
+    for (i, line) in content.lines().enumerate() {
+      let line = line.trim();
+      if line.is_empty() || line.starts_with('#') {
+        continue;
+      }
+
+      let fields: Vec<&str> = line.split('\t').collect();
+      if fields.len() < 7 {
+        errors.push(format!(
+          "Line {}: expected 7 tab-separated fields, got {}",
+          i + 1,
+          fields.len()
+        ));
+        continue;
+      }
+
+      let domain = fields[0].to_string();
+      let path = fields[2].to_string();
+      let is_secure = fields[3].eq_ignore_ascii_case("TRUE");
+      let expires = fields[4].parse::<i64>().unwrap_or(0);
+      let name = fields[5].to_string();
+      let value = fields[6].to_string();
+
+      cookies.push(UnifiedCookie {
+        name,
+        value,
+        domain,
+        path,
+        expires,
+        is_secure,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: now,
+        last_accessed: now,
+      });
+    }
+
+    (cookies, errors)
+  }
+
+  /// Parse JSON format cookies (array of cookie objects, e.g. from browser extensions)
+  fn parse_json_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let mut cookies = Vec::new();
+    let mut errors = Vec::new();
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs() as i64;
+
+    let arr: Vec<Value> = match serde_json::from_str(content) {
+      Ok(v) => v,
+      Err(e) => {
+        errors.push(format!("Failed to parse JSON: {e}"));
+        return (cookies, errors);
+      }
+    };
+
+    for (i, obj) in arr.iter().enumerate() {
+      let name = match obj.get("name").and_then(|v| v.as_str()) {
+        Some(s) => s.to_string(),
+        None => {
+          errors.push(format!("Cookie {}: missing 'name' field", i + 1));
+          continue;
+        }
+      };
+      let value = obj
+        .get("value")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+      let domain = match obj.get("domain").and_then(|v| v.as_str()) {
+        Some(s) => s.to_string(),
+        None => {
+          errors.push(format!("Cookie {}: missing 'domain' field", i + 1));
+          continue;
+        }
+      };
+      let path = obj
+        .get("path")
+        .and_then(|v| v.as_str())
+        .unwrap_or("/")
+        .to_string();
+      let is_secure = obj.get("secure").and_then(|v| v.as_bool()).unwrap_or(false);
+      let is_http_only = obj
+        .get("httpOnly")
+        .and_then(|v| v.as_bool())
+        .unwrap_or(false);
+      let is_session = obj
+        .get("session")
+        .and_then(|v| v.as_bool())
+        .unwrap_or(false);
+      let expires = if is_session {
+        0
+      } else {
+        obj
+          .get("expirationDate")
+          .and_then(|v| v.as_f64())
+          .map(|f| f as i64)
+          .unwrap_or(0)
+      };
+      let same_site = obj
+        .get("sameSite")
+        .and_then(|v| v.as_str())
+        .map(|s| match s {
+          "lax" => 1,
+          "strict" => 2,
+          _ => 0, // "no_restriction" or unrecognized
+        })
+        .unwrap_or(0);
+
+      cookies.push(UnifiedCookie {
+        name,
+        value,
+        domain,
+        path,
+        expires,
+        is_secure,
+        is_http_only,
+        same_site,
+        creation_time: now,
+        last_accessed: now,
+      });
+    }
+
+    (cookies, errors)
+  }
+
+  /// Auto-detect cookie format and parse
+  fn parse_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let trimmed = content.trim();
+    if trimmed.starts_with('[') && serde_json::from_str::<Vec<Value>>(trimmed).is_ok() {
+      return Self::parse_json_cookies(trimmed);
+    }
+    Self::parse_netscape_cookies(content)
+  }
+
+  /// Format cookies as Netscape TXT
+  pub fn format_netscape_cookies(cookies: &[UnifiedCookie]) -> String {
+    let mut lines = Vec::new();
+    lines.push("# Netscape HTTP Cookie File".to_string());
+    for cookie in cookies {
+      let flag = if cookie.domain.starts_with('.') {
+        "TRUE"
+      } else {
+        "FALSE"
+      };
+      let secure = if cookie.is_secure { "TRUE" } else { "FALSE" };
+      lines.push(format!(
+        "{}\t{}\t{}\t{}\t{}\t{}\t{}",
+        cookie.domain, flag, cookie.path, secure, cookie.expires, cookie.name, cookie.value
+      ));
+    }
+    lines.join("\n")
+  }
+
+  /// Format cookies as JSON
+  pub fn format_json_cookies(cookies: &[UnifiedCookie]) -> String {
+    let arr: Vec<Value> = cookies
+      .iter()
+      .map(|c| {
+        let same_site_str = match c.same_site {
+          1 => "lax",
+          2 => "strict",
+          _ => "no_restriction",
+        };
+        serde_json::json!({
+          "name": c.name,
+          "value": c.value,
+          "domain": c.domain,
+          "path": c.path,
+          "secure": c.is_secure,
+          "httpOnly": c.is_http_only,
+          "sameSite": same_site_str,
+          "expirationDate": c.expires,
+          "session": c.expires == 0,
+          "hostOnly": !c.domain.starts_with('.'),
+        })
+      })
+      .collect();
+    serde_json::to_string_pretty(&arr).unwrap_or_else(|_| "[]".to_string())
+  }
+
+  /// Public API: Import cookies with auto-format detection
+  pub async fn import_cookies(
+    app_handle: &AppHandle,
+    profile_id: &str,
+    content: &str,
+  ) -> Result<CookieImportResult, String> {
+    let profile_manager = ProfileManager::instance();
+    let profiles_dir = profile_manager.get_profiles_dir();
+    let profiles = profile_manager
+      .list_profiles()
+      .map_err(|e| format!("Failed to list profiles: {e}"))?;
+
+    let profile = profiles
+      .iter()
+      .find(|p| p.id.to_string() == profile_id)
+      .ok_or_else(|| format!("Profile not found: {profile_id}"))?;
+
+    let is_running = profile_manager
+      .check_browser_status(app_handle.clone(), profile)
+      .await
+      .unwrap_or(false);
+
+    if is_running {
+      return Err(format!(
+        "Cannot import cookies while browser is running for profile: {}",
+        profile.name
+      ));
+    }
+
+    let (cookies, parse_errors) = Self::parse_cookies(content);
+
+    if cookies.is_empty() {
+      return Err("No valid cookies found in the file".to_string());
+    }
+
+    let db_path = Self::get_cookie_db_path(profile, &profiles_dir)?;
+
+    let write_result = match profile.browser.as_str() {
+      "camoufox" => Self::write_firefox_cookies(&db_path, &cookies),
+      "wayfern" => Self::write_chrome_cookies(&db_path, &cookies),
+      _ => return Err(format!("Unsupported browser type: {}", profile.browser)),
+    };
+
+    match write_result {
+      Ok((imported, replaced)) => Ok(CookieImportResult {
+        cookies_imported: imported,
+        cookies_replaced: replaced,
+        errors: parse_errors,
+      }),
+      Err(e) => Err(format!("Failed to write cookies: {e}")),
+    }
+  }
+
+  /// Public API: Export cookies from a profile in the specified format
+  pub fn export_cookies(profile_id: &str, format: &str) -> Result<String, String> {
+    let result = Self::read_cookies(profile_id)?;
+    let all_cookies: Vec<UnifiedCookie> =
+      result.domains.into_iter().flat_map(|d| d.cookies).collect();
+
+    match format {
+      "json" => Ok(Self::format_json_cookies(&all_cookies)),
+      "netscape" => Ok(Self::format_netscape_cookies(&all_cookies)),
+      _ => Err(format!("Unsupported export format: {format}")),
+    }
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_parse_netscape_cookies_valid() {
+    let content = "# Netscape HTTP Cookie File\n\
+      .example.com\tTRUE\t/\tTRUE\t1700000000\tsession_id\tabc123\n\
+      example.com\tFALSE\t/path\tFALSE\t0\ttoken\txyz";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 2);
+    assert!(errors.is_empty());
+
+    assert_eq!(cookies[0].domain, ".example.com");
+    assert_eq!(cookies[0].name, "session_id");
+    assert_eq!(cookies[0].value, "abc123");
+    assert_eq!(cookies[0].path, "/");
+    assert!(cookies[0].is_secure);
+    assert_eq!(cookies[0].expires, 1700000000);
+
+    assert_eq!(cookies[1].domain, "example.com");
+    assert!(!cookies[1].is_secure);
+    assert_eq!(cookies[1].expires, 0);
+  }
+
+  #[test]
+  fn test_parse_netscape_cookies_skips_comments_and_blanks() {
+    let content = "# Comment line\n\n  \n# Another comment\n\
+      .test.com\tTRUE\t/\tFALSE\t0\tname\tvalue\n";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+  }
+
+  #[test]
+  fn test_parse_netscape_cookies_malformed_lines() {
+    let content = "not\tenough\tfields\n\
+      .ok.com\tTRUE\t/\tFALSE\t0\tname\tvalue\n";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(errors.len(), 1);
+    assert!(errors[0].contains("expected 7 tab-separated fields"));
+  }
+
+  #[test]
+  fn test_parse_json_cookies_valid() {
+    let content = r#"[
+      {
+        "name": "sid",
+        "value": "abc",
+        "domain": ".example.com",
+        "path": "/",
+        "secure": true,
+        "httpOnly": true,
+        "sameSite": "lax",
+        "expirationDate": 1700000000,
+        "session": false
+      }
+    ]"#;
+    let (cookies, errors) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+    assert_eq!(cookies[0].name, "sid");
+    assert_eq!(cookies[0].domain, ".example.com");
+    assert!(cookies[0].is_secure);
+    assert!(cookies[0].is_http_only);
+    assert_eq!(cookies[0].same_site, 1);
+    assert_eq!(cookies[0].expires, 1700000000);
+  }
+
+  #[test]
+  fn test_parse_json_cookies_session() {
+    let content = r#"[{"name": "s", "value": "v", "domain": ".d.com", "session": true, "expirationDate": 9999}]"#;
+    let (cookies, errors) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+    assert_eq!(cookies[0].expires, 0);
+  }
+
+  #[test]
+  fn test_parse_json_cookies_same_site_mapping() {
+    let content = r#"[
+      {"name": "a", "value": "", "domain": ".d.com", "sameSite": "no_restriction"},
+      {"name": "b", "value": "", "domain": ".d.com", "sameSite": "lax"},
+      {"name": "c", "value": "", "domain": ".d.com", "sameSite": "strict"}
+    ]"#;
+    let (cookies, _) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies[0].same_site, 0);
+    assert_eq!(cookies[1].same_site, 1);
+    assert_eq!(cookies[2].same_site, 2);
+  }
+
+  #[test]
+  fn test_parse_cookies_auto_detect_json() {
+    let content = r#"[{"name": "x", "value": "y", "domain": ".test.com"}]"#;
+    let (cookies, _) = CookieManager::parse_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(cookies[0].name, "x");
+  }
+
+  #[test]
+  fn test_parse_cookies_auto_detect_netscape() {
+    let content = ".test.com\tTRUE\t/\tFALSE\t0\tname\tvalue";
+    let (cookies, _) = CookieManager::parse_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(cookies[0].name, "name");
+  }
+
+  #[test]
+  fn test_format_netscape_cookies() {
+    let cookies = vec![UnifiedCookie {
+      name: "sid".to_string(),
+      value: "abc".to_string(),
+      domain: ".example.com".to_string(),
+      path: "/".to_string(),
+      expires: 1700000000,
+      is_secure: true,
+      is_http_only: false,
+      same_site: 0,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let output = CookieManager::format_netscape_cookies(&cookies);
+    assert!(output.contains("# Netscape HTTP Cookie File"));
+    assert!(output.contains(".example.com\tTRUE\t/\tTRUE\t1700000000\tsid\tabc"));
+  }
+
+  #[test]
+  fn test_format_json_cookies() {
+    let cookies = vec![UnifiedCookie {
+      name: "sid".to_string(),
+      value: "abc".to_string(),
+      domain: ".example.com".to_string(),
+      path: "/".to_string(),
+      expires: 1700000000,
+      is_secure: true,
+      is_http_only: true,
+      same_site: 1,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let output = CookieManager::format_json_cookies(&cookies);
+    let parsed: Vec<Value> = serde_json::from_str(&output).unwrap();
+    assert_eq!(parsed.len(), 1);
+    assert_eq!(parsed[0]["name"], "sid");
+    assert_eq!(parsed[0]["sameSite"], "lax");
+    assert_eq!(parsed[0]["session"], false);
+    assert_eq!(parsed[0]["hostOnly"], false);
+  }
+
+  #[test]
+  fn test_netscape_roundtrip() {
+    let cookies = vec![
+      UnifiedCookie {
+        name: "a".to_string(),
+        value: "1".to_string(),
+        domain: ".d.com".to_string(),
+        path: "/".to_string(),
+        expires: 1700000000,
+        is_secure: true,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: 0,
+        last_accessed: 0,
+      },
+      UnifiedCookie {
+        name: "b".to_string(),
+        value: "2".to_string(),
+        domain: "d.com".to_string(),
+        path: "/p".to_string(),
+        expires: 0,
+        is_secure: false,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: 0,
+        last_accessed: 0,
+      },
+    ];
+    let formatted = CookieManager::format_netscape_cookies(&cookies);
+    let (parsed, errors) = CookieManager::parse_netscape_cookies(&formatted);
+    assert!(errors.is_empty());
+    assert_eq!(parsed.len(), 2);
+    assert_eq!(parsed[0].name, "a");
+    assert_eq!(parsed[0].domain, ".d.com");
+    assert!(parsed[0].is_secure);
+    assert_eq!(parsed[1].name, "b");
+    assert_eq!(parsed[1].domain, "d.com");
+  }
+
+  #[test]
+  fn test_json_roundtrip() {
+    let cookies = vec![UnifiedCookie {
+      name: "tok".to_string(),
+      value: "xyz".to_string(),
+      domain: ".site.org".to_string(),
+      path: "/app".to_string(),
+      expires: 1700000000,
+      is_secure: false,
+      is_http_only: true,
+      same_site: 2,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let formatted = CookieManager::format_json_cookies(&cookies);
+    let (parsed, errors) = CookieManager::parse_json_cookies(&formatted);
+    assert!(errors.is_empty());
+    assert_eq!(parsed.len(), 1);
+    assert_eq!(parsed[0].name, "tok");
+    assert_eq!(parsed[0].domain, ".site.org");
+    assert_eq!(parsed[0].path, "/app");
+    assert!(!parsed[0].is_secure);
+    assert!(parsed[0].is_http_only);
+    assert_eq!(parsed[0].same_site, 2);
+    assert_eq!(parsed[0].expires, 1700000000);
+  }
+
+  #[test]
+  fn test_chrome_time_to_unix() {
+    assert_eq!(CookieManager::chrome_time_to_unix(0), 0);
+    let chrome_time: i64 = (1700000000 + CookieManager::WINDOWS_EPOCH_DIFF) * 1_000_000;
+    assert_eq!(CookieManager::chrome_time_to_unix(chrome_time), 1700000000);
+  }
+
+  #[test]
+  fn test_unix_to_chrome_time() {
+    assert_eq!(CookieManager::unix_to_chrome_time(0), 0);
+    let expected = (1700000000 + CookieManager::WINDOWS_EPOCH_DIFF) * 1_000_000;
+    assert_eq!(CookieManager::unix_to_chrome_time(1700000000), expected);
+  }
+
+  #[test]
+  fn test_chrome_time_roundtrip() {
+    let unix = 1700000000_i64;
+    let chrome = CookieManager::unix_to_chrome_time(unix);
+    assert_eq!(CookieManager::chrome_time_to_unix(chrome), unix);
+  }
 }
@@ -103,11 +103,6 @@ pub fn enable_autostart() -> io::Result<()> {
    <true/>
    <key>LimitLoadToSessionType</key>
    <string>Aqua</string>
-    <key>KeepAlive</key>
-    <dict>
-        <key>SuccessfulExit</key>
-        <false/>
-    </dict>
    <key>ProcessType</key>
    <string>Interactive</string>
    <key>StandardOutPath</key>
@@ -188,6 +183,26 @@ pub fn load_launch_agent() -> io::Result<()> {
  Ok(())
 }

+#[cfg(target_os = "macos")]
+pub fn start_launch_agent() -> io::Result<()> {
+  use std::process::Command;
+
+  let output = Command::new("launchctl")
+    .args(["start", "com.donutbrowser.daemon"])
+    .output()?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    return Err(io::Error::other(format!(
+      "launchctl start failed: {}",
+      stderr
+    )));
+  }
+
+  log::info!("Started launch agent via launchctl");
+  Ok(())
+}
+
 #[cfg(target_os = "macos")]
 pub fn unload_launch_agent() -> io::Result<()> {
  use std::process::Command;
@@ -229,16 +244,22 @@ pub fn enable_autostart() -> io::Result<()> {

  let desktop_path = autostart_dir.join("donut-daemon.desktop");

+  let escaped_daemon_path = daemon_path
+    .display()
+    .to_string()
+    .replace('\\', "\\\\")
+    .replace('"', "\\\"")
+    .replace('`', "\\`")
+    .replace('$', "\\$");
  let desktop_content = format!(
    r#"[Desktop Entry]
 Type=Application
 Name=Donut Browser Daemon
-Exec={} start
+Exec="{escaped_daemon_path}" run
 Hidden=false
 NoDisplay=true
 X-GNOME-Autostart-enabled=true
 "#,
-    daemon_path.display()
  );

  fs::write(&desktop_path, desktop_content)?;
@@ -281,7 +302,7 @@ pub fn enable_autostart() -> io::Result<()> {

  key.set_value(
    "DonutBrowserDaemon",
-    &format!("\"{}\" start", daemon_path.display()),
+    &format!("\"{}\" run", daemon_path.display()),
  )?;

  log::info!("Added registry autostart entry");
@@ -1,10 +1,7 @@
-use muda::{Menu, MenuItem, PredefinedMenuItem};
+use muda::{Menu, MenuItem};
 use std::process::Command;
-use std::sync::atomic::{AtomicBool, Ordering};
 use tray_icon::{Icon, TrayIcon, TrayIconBuilder};

-static GUI_RUNNING: AtomicBool = AtomicBool::new(false);
-
 pub fn load_icon() -> Icon {
  // On Windows, use the full-color icon so it renders well on dark taskbars.
  // On macOS/Linux, use the template icon (black with alpha) for system light/dark handling.
@@ -25,7 +22,6 @@ pub fn load_icon() -> Icon {

 pub struct TrayMenu {
  pub menu: Menu,
-  pub open_item: MenuItem,
  pub quit_item: MenuItem,
 }

@@ -39,19 +35,11 @@ impl TrayMenu {
  pub fn new() -> Self {
    let menu = Menu::new();

-    let open_item = MenuItem::new("Open Donut Browser", true, None);
-    let separator = PredefinedMenuItem::separator();
    let quit_item = MenuItem::new("Quit Donut Browser", true, None);

-    menu.append(&open_item).unwrap();
-    menu.append(&separator).unwrap();
    menu.append(&quit_item).unwrap();

-    Self {
-      menu,
-      open_item,
-      quit_item,
-    }
+    Self { menu, quit_item }
  }
 }

@@ -68,25 +56,47 @@ pub fn create_tray_icon(icon: Icon, menu: &Menu) -> TrayIcon {
  builder.build().expect("Failed to create tray icon")
 }

-pub fn open_gui() {
-  if GUI_RUNNING.load(Ordering::SeqCst) {
-    log::info!("GUI already running, activating...");
-    activate_gui();
-    return;
+/// Resolve the .app bundle path from the current daemon executable.
+/// In production the daemon is at `Donut.app/Contents/MacOS/donut-daemon`.
+#[cfg(target_os = "macos")]
+fn get_app_bundle_path() -> Option<std::path::PathBuf> {
+  let exe = std::env::current_exe().ok()?;
+  let macos_dir = exe.parent()?;
+  let contents_dir = macos_dir.parent()?;
+  let app_dir = contents_dir.parent()?;
+  if app_dir.extension().and_then(|e| e.to_str()) == Some("app") {
+    Some(app_dir.to_path_buf())
+  } else {
+    None
  }
+}

+pub fn open_gui() {
  log::info!("Opening GUI...");

  #[cfg(target_os = "macos")]
  {
-    let _ = Command::new("open").arg("-a").arg("Donut Browser").spawn();
+    // Launch the GUI binary directly. The daemon lives inside the same .app
+    // bundle, so `open` (even with `-n`) can re-activate the daemon instead
+    // of launching the GUI. Directly running the binary avoids macOS's app
+    // activation machinery. The single-instance Tauri plugin in the GUI
+    // handles deduplication if a GUI instance is already running.
+    if let Some(app_bundle) = get_app_bundle_path() {
+      let gui_binary = app_bundle.join("Contents").join("MacOS").join("Donut");
+      if gui_binary.exists() {
+        let _ = Command::new(&gui_binary).spawn();
+      } else {
+        let _ = Command::new("open").args(["-n"]).arg(&app_bundle).spawn();
+      }
+    } else {
+      let _ = Command::new("open").args(["-n", "-a", "Donut"]).spawn();
+    }
  }

  #[cfg(target_os = "windows")]
  {
    use std::path::PathBuf;

-    // In dev mode, find the main exe next to the daemon binary
    if let Ok(current_exe) = std::env::current_exe() {
      if let Some(exe_dir) = current_exe.parent() {
        let app_path = exe_dir.join("donutbrowser.exe");
@@ -118,15 +128,77 @@ pub fn open_gui() {
  }
 }

-pub fn activate_gui() {
-  #[cfg(target_os = "macos")]
+fn read_gui_pid() -> Option<u32> {
+  let path = super::autostart::get_data_dir()?.join("daemon-state.json");
+  let content = std::fs::read_to_string(path).ok()?;
+  let val: serde_json::Value = serde_json::from_str(&content).ok()?;
+  val.get("gui_pid")?.as_u64().map(|p| p as u32)
+}
+
+fn kill_gui_by_pid() -> bool {
+  let Some(pid) = read_gui_pid() else {
+    return false;
+  };
+
+  #[cfg(unix)]
  {
-    let _ = Command::new("osascript")
-      .args(["-e", "tell application \"Donut Browser\" to activate"])
-      .spawn();
+    let ret = unsafe { libc::kill(pid as i32, libc::SIGTERM) };
+    ret == 0
+  }
+
+  #[cfg(windows)]
+  {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    Command::new("taskkill")
+      .args(["/PID", &pid.to_string(), "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+      .map(|o| o.status.success())
+      .unwrap_or(false)
+  }
+
+  #[cfg(not(any(unix, windows)))]
+  {
+    false
  }
 }

-pub fn set_gui_running(running: bool) {
-  GUI_RUNNING.store(running, Ordering::SeqCst);
+pub fn quit_gui() {
+  log::info!("[daemon] Quitting GUI...");
+
+  if kill_gui_by_pid() {
+    log::info!("[daemon] GUI killed by PID");
+    return;
+  }
+
+  log::info!("[daemon] PID-based kill failed, falling back to name-based kill");
+
+  #[cfg(target_os = "macos")]
+  {
+    // Use spawn() instead of output() to avoid blocking the event loop.
+    // AppleScript has a ~2 minute default timeout that would freeze the tray icon.
+    let _ = Command::new("osascript")
+      .args(["-e", "tell application \"Donut\" to quit"])
+      .spawn();
+  }
+
+  #[cfg(target_os = "windows")]
+  {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    let _ = Command::new("taskkill")
+      .args(["/IM", "Donut.exe", "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .spawn();
+    let _ = Command::new("taskkill")
+      .args(["/IM", "donutbrowser.exe", "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .spawn();
+  }
+
+  #[cfg(target_os = "linux")]
+  {
+    let _ = Command::new("pkill").args(["-x", "donutbrowser"]).spawn();
+  }
 }
@@ -9,6 +9,26 @@ use std::time::Duration;

 use crate::daemon::autostart;

+/// Check if a process with the given PID exists using the Windows API.
+/// This avoids spawning tasklist.exe which causes a visible conhost window flash.
+#[cfg(windows)]
+fn win_process_exists(pid: u32) -> bool {
+  const PROCESS_QUERY_LIMITED_INFORMATION: u32 = 0x1000;
+
+  extern "system" {
+    fn OpenProcess(dwDesiredAccess: u32, bInheritHandles: i32, dwProcessId: u32) -> *mut ();
+    fn CloseHandle(hObject: *mut ()) -> i32;
+  }
+
+  let handle = unsafe { OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid) };
+  if handle.is_null() {
+    false
+  } else {
+    unsafe { CloseHandle(handle) };
+    true
+  }
+}
+
 #[derive(Debug, Deserialize, Default)]
 struct DaemonState {
  daemon_pid: Option<u32>,
@@ -32,7 +52,7 @@ fn read_state() -> DaemonState {
  DaemonState::default()
 }

-fn is_daemon_running() -> bool {
+pub fn is_daemon_running() -> bool {
  let state = read_state();

  if let Some(pid) = state.daemon_pid {
@@ -43,12 +63,7 @@ fn is_daemon_running() -> bool {

    #[cfg(windows)]
    {
-      let output = Command::new("tasklist")
-        .args(["/FI", &format!("PID eq {}", pid)])
-        .output();
-      output
-        .map(|o| String::from_utf8_lossy(&o.stdout).contains(&pid.to_string()))
-        .unwrap_or(false)
+      win_process_exists(pid)
    }

    #[cfg(not(any(unix, windows)))]
@@ -113,7 +128,13 @@ fn get_daemon_path() -> Option<PathBuf> {
  // Try to find it in PATH
  #[cfg(target_os = "windows")]
  {
-    if let Ok(output) = Command::new("where").arg("donut-daemon").output() {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    if let Ok(output) = Command::new("where")
+      .arg("donut-daemon")
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+    {
      if output.status.success() {
        let path = String::from_utf8_lossy(&output.stdout);
        let path = path.lines().next()?.trim();
@@ -243,6 +264,11 @@ fn spawn_daemon_macos() -> Result<(), String> {
  autostart::load_launch_agent().map_err(|e| format!("Failed to load LaunchAgent: {}", e))?;
  log::info!("launchctl load completed");

+  // Also explicitly start the agent in case it was already loaded but stopped
+  if let Err(e) = autostart::start_launch_agent() {
+    log::debug!("launchctl start note (non-fatal): {}", e);
+  }
+
  Ok(())
 }

@@ -308,3 +334,26 @@ pub fn ensure_daemon_running() -> Result<(), String> {
  }
  Ok(())
 }
+
+pub fn register_gui_pid() {
+  let path = get_state_path();
+  let mut val: serde_json::Value = if path.exists() {
+    fs::read_to_string(&path)
+      .ok()
+      .and_then(|c| serde_json::from_str(&c).ok())
+      .unwrap_or_else(|| serde_json::json!({}))
+  } else {
+    serde_json::json!({})
+  };
+
+  if let Some(obj) = val.as_object_mut() {
+    obj.insert(
+      "gui_pid".to_string(),
+      serde_json::Value::Number(std::process::id().into()),
+    );
+  }
+
+  if let Ok(content) = serde_json::to_string_pretty(&val) {
+    let _ = fs::write(&path, content);
+  }
+}
@@ -204,7 +204,7 @@ mod windows {
      .map_err(|e| format!("Failed to set ApplicationDescription: {}", e))?;

    app_key
-      .set_value("ApplicationIcon", &format!("{},0", exe_path))
+      .set_value("ApplicationIcon", &format!("\"{}\",0", exe_path))
      .map_err(|e| format!("Failed to set ApplicationIcon: {}", e))?;

    // Create Capabilities key
@@ -273,7 +273,7 @@ mod windows {
      .map_err(|e| format!("Failed to create DefaultIcon key: {}", e))?;

    icon_key
-      .set_value("", &format!("{},0", exe_path))
+      .set_value("", &format!("\"{}\",0", exe_path))
      .map_err(|e| format!("Failed to set default icon: {}", e))?;

    // Create shell\open\command key
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
@@ -71,16 +70,7 @@ impl DownloadedBrowsersRegistry {
  }

  fn get_registry_path() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    let base_dirs = BaseDirs::new().ok_or("Failed to get base directories")?;
-    let mut path = base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("data");
-    path.push("downloaded_browsers.json");
-    Ok(path)
+    Ok(crate::app_dirs::data_subdir().join("downloaded_browsers.json"))
  }

  pub fn add_browser(&self, info: DownloadedBrowserInfo) {
@@ -128,19 +118,7 @@ impl DownloadedBrowsersRegistry {
    };
    let browser_instance = create_browser(browser_type.clone());

-    // Get binaries directory
-    let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-      let mut path = base_dirs.data_local_dir().to_path_buf();
-      path.push(if cfg!(debug_assertions) {
-        "DonutBrowserDev"
-      } else {
-        "DonutBrowser"
-      });
-      path.push("binaries");
-      path
-    } else {
-      return false;
-    };
+    let binaries_dir = crate::app_dirs::binaries_dir();

    let files_exist = browser_instance.is_version_downloaded(version, &binaries_dir);

@@ -312,6 +290,30 @@ impl DownloadedBrowsersRegistry {
      }
    }

+    // Filter out versions that would leave a browser with zero versions in the registry
+    {
+      let data = self.data.lock().unwrap();
+      let mut removal_counts: std::collections::HashMap<String, usize> =
+        std::collections::HashMap::new();
+      for (browser, _) in &to_remove {
+        *removal_counts.entry(browser.clone()).or_insert(0) += 1;
+      }
+      to_remove.retain(|(browser, version)| {
+        let total = data
+          .browsers
+          .get(browser.as_str())
+          .map(|v| v.len())
+          .unwrap_or(0);
+        let removing = *removal_counts.get(browser.as_str()).unwrap_or(&0);
+        if removing >= total {
+          log::info!("Keeping last available version: {browser} {version}");
+          *removal_counts.get_mut(browser.as_str()).unwrap() -= 1;
+          return false;
+        }
+        true
+      });
+    }
+
    // Remove unused binaries and their version folders
    for (browser, version) in to_remove {
      if let Err(e) = self.cleanup_failed_download(&browser, &version) {
@@ -511,15 +513,7 @@ impl DownloadedBrowsersRegistry {
    browser: &str,
    version: &str,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    // Get binaries directory path
-    let base_dirs = directories::BaseDirs::new().ok_or("Failed to get base directories")?;
-    let mut binaries_dir = base_dirs.data_local_dir().to_path_buf();
-    binaries_dir.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    binaries_dir.push("binaries");
+    let binaries_dir = crate::app_dirs::binaries_dir();

    let version_dir = binaries_dir.join(browser).join(version);

@@ -806,19 +800,7 @@ impl DownloadedBrowsersRegistry {

      let browser = create_browser(browser_type.clone());

-      // Get binaries directory
-      let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-        let mut path = base_dirs.data_local_dir().to_path_buf();
-        path.push(if cfg!(debug_assertions) {
-          "DonutBrowserDev"
-        } else {
-          "DonutBrowser"
-        });
-        path.push("binaries");
-        path
-      } else {
-        return Err("Failed to get base directories".into());
-      };
+      let binaries_dir = crate::app_dirs::binaries_dir();

      log::info!(
        "binaries_dir: {binaries_dir:?} for profile: {}",
@@ -1164,6 +1146,58 @@ mod tests {
    );
  }

+  #[test]
+  fn test_last_version_kept_during_cleanup() {
+    let registry = DownloadedBrowsersRegistry::new();
+
+    // Add a single version for "firefox"
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "firefox".to_string(),
+      version: "139.0".to_string(),
+      file_path: PathBuf::from("/test/firefox/139.0"),
+    });
+
+    // Add two versions for "chromium"
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "chromium".to_string(),
+      version: "120.0".to_string(),
+      file_path: PathBuf::from("/test/chromium/120.0"),
+    });
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "chromium".to_string(),
+      version: "121.0".to_string(),
+      file_path: PathBuf::from("/test/chromium/121.0"),
+    });
+
+    // No active or running profiles
+    let result = registry
+      .cleanup_unused_binaries_internal(&[], &[])
+      .expect("cleanup should succeed");
+
+    // firefox 139.0 should be kept (last version), chromium should lose one but keep one
+    // The exact one kept depends on iteration order, but at least one must remain
+    assert!(
+      !result.contains(&"firefox 139.0".to_string()),
+      "Last version of firefox should not be cleaned up"
+    );
+    // At most one chromium version should have been cleaned up
+    let chromium_cleaned: Vec<_> = result
+      .iter()
+      .filter(|r| r.starts_with("chromium"))
+      .collect();
+    assert!(
+      chromium_cleaned.len() <= 1,
+      "At most one chromium version should be cleaned up, got: {:?}",
+      chromium_cleaned
+    );
+
+    // Verify firefox is still registered
+    assert!(
+      registry.is_browser_registered("firefox", "139.0"),
+      "Last firefox version should still be registered"
+    );
+  }
+
  #[test]
  fn test_is_browser_registered_vs_downloaded() {
    let registry = DownloadedBrowsersRegistry::new();
@@ -158,7 +158,11 @@ impl Downloader {
        let release = releases
          .iter()
          .find(|r| r.tag_name == version)
-          .ok_or(format!("Camoufox version {version} not found"))?;
+          .or_else(|| {
+            log::info!("Camoufox: requested version {version} not found, using latest available");
+            releases.first()
+          })
+          .ok_or("No Camoufox releases found".to_string())?;

        // Get platform and architecture info
        let (os, arch) = Self::get_platform_info();
@@ -179,14 +183,10 @@ impl Downloader {
          .fetch_wayfern_version_with_caching(true)
          .await?;

-        // Verify requested version matches available version
        if version_info.version != version {
-          return Err(
-            format!(
-              "Wayfern version {version} not found. Available version: {}",
-              version_info.version
-            )
-            .into(),
+          log::info!(
+            "Wayfern: requested version {version}, using available version {}",
+            version_info.version
          );
        }

@@ -434,6 +434,13 @@ impl Downloader {
    Ok(())
  }

+  fn configure_camoufox_search_engine(
+    &self,
+    browser_dir: &Path,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    configure_camoufox_search_engine(browser_dir)
+  }
+
  pub async fn download_browser<R: tauri::Runtime>(
    &self,
    _app_handle: &tauri::AppHandle<R>,
@@ -652,6 +659,41 @@ impl Downloader {
      return Err("Please accept Wayfern Terms and Conditions before downloading browsers".into());
    }

+    // For Wayfern/Camoufox, resolve the actual available version from the API
+    let version = if browser_str == "wayfern" {
+      match self
+        .api_client
+        .fetch_wayfern_version_with_caching(true)
+        .await
+      {
+        Ok(info) if info.version != version => {
+          log::info!(
+            "Wayfern: requested {version}, using available {}",
+            info.version
+          );
+          info.version
+        }
+        _ => version,
+      }
+    } else if browser_str == "camoufox" {
+      match self
+        .api_client
+        .fetch_camoufox_releases_with_caching(true)
+        .await
+      {
+        Ok(releases) if !releases.is_empty() && releases[0].tag_name != version => {
+          log::info!(
+            "Camoufox: requested {version}, using available {}",
+            releases[0].tag_name
+          );
+          releases[0].tag_name.clone()
+        }
+        _ => version,
+      }
+    } else {
+      version
+    };
+
    // Check if this browser-version pair is already being downloaded
    let download_key = format!("{browser_str}-{version}");
    let cancel_token = {
@@ -674,21 +716,7 @@ impl Downloader {

    // Use injected registry instance

-    // Get binaries directory - we need to get it from somewhere
-    // This is a bit tricky since we don't have access to BrowserRunner's get_binaries_dir
-    // We'll need to replicate this logic
-    let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-      let mut path = base_dirs.data_local_dir().to_path_buf();
-      path.push(if cfg!(debug_assertions) {
-        "DonutBrowserDev"
-      } else {
-        "DonutBrowser"
-      });
-      path.push("binaries");
-      path
-    } else {
-      return Err("Failed to get base directories".into());
-    };
+    let binaries_dir = crate::app_dirs::binaries_dir();

    // Check if registry thinks it's downloaded, but also verify files actually exist
    if self.registry.is_browser_downloaded(&browser_str, &version) {
@@ -975,7 +1003,10 @@ impl Downloader {
        .await
      {
        log::warn!("Failed to create version.json for Camoufox: {e}");
-        // Don't fail the download if version.json creation fails
+      }
+
+      if let Err(e) = self.configure_camoufox_search_engine(&browser_dir) {
+        log::warn!("Failed to configure Camoufox search engine: {e}");
      }
    }

@@ -1002,6 +1033,51 @@ impl Downloader {
      tokens.remove(&download_key);
    }

+    // Auto-update non-running profiles to the new version and cleanup unused binaries
+    {
+      let browser_for_update = browser_str.clone();
+      let version_for_update = version.clone();
+      let app_handle_for_update = app_handle.clone();
+      tauri::async_runtime::spawn(async move {
+        let auto_updater = crate::auto_updater::AutoUpdater::instance();
+        match auto_updater
+          .auto_update_profile_versions(
+            &app_handle_for_update,
+            &browser_for_update,
+            &version_for_update,
+          )
+          .await
+        {
+          Ok(updated) => {
+            if !updated.is_empty() {
+              log::info!(
+                "Auto-updated {} profiles to {} {}: {:?}",
+                updated.len(),
+                browser_for_update,
+                version_for_update,
+                updated
+              );
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to auto-update profile versions: {e}");
+          }
+        }
+
+        let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+        match registry.cleanup_unused_binaries() {
+          Ok(cleaned) => {
+            if !cleaned.is_empty() {
+              log::info!("Cleaned up unused binaries after download: {:?}", cleaned);
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to cleanup unused binaries: {e}");
+          }
+        }
+      });
+    }
+
    Ok(version)
  }
 }
@@ -1037,6 +1113,168 @@ pub async fn cancel_download(browser_str: String, version: String) -> Result<(),
  }
 }

+/// Find all candidate `distribution/` directories inside the Camoufox browser dir.
+/// On macOS: `<browser_dir>/<app>.app/Contents/Resources/distribution/`
+/// On Linux: `<browser_dir>/camoufox/distribution/`
+/// On Windows: `<browser_dir>/distribution/`
+/// Also includes `<browser_dir>/distribution/` as a fallback for all platforms.
+#[allow(clippy::vec_init_then_push)]
+fn find_camoufox_distribution_dirs(browser_dir: &Path) -> Vec<std::path::PathBuf> {
+  let mut dirs = Vec::new();
+
+  #[cfg(target_os = "macos")]
+  {
+    if let Ok(entries) = std::fs::read_dir(browser_dir) {
+      for entry in entries.flatten() {
+        if entry.path().extension().is_some_and(|ext| ext == "app") {
+          dirs.push(
+            entry
+              .path()
+              .join("Contents")
+              .join("Resources")
+              .join("distribution"),
+          );
+        }
+      }
+    }
+  }
+
+  #[cfg(target_os = "linux")]
+  {
+    dirs.push(browser_dir.join("camoufox").join("distribution"));
+  }
+
+  // Fallback for all platforms
+  dirs.push(browser_dir.join("distribution"));
+
+  dirs
+}
+
+/// Set DuckDuckGo as the default search engine in Camoufox.
+/// Creates or updates distribution/policies.json with a proper DuckDuckGo engine definition.
+/// Called both at download time and at launch time to cover existing installations.
+pub fn configure_camoufox_search_engine(
+  browser_dir: &Path,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let distribution_dirs = find_camoufox_distribution_dirs(browser_dir);
+
+  // Find an existing policies.json, or pick the first candidate dir to create one
+  let (policies_path, mut policies) = {
+    let mut found = None;
+    for dir in &distribution_dirs {
+      let path = dir.join("policies.json");
+      if path.exists() {
+        if let Ok(content) = std::fs::read_to_string(&path) {
+          if let Ok(val) = serde_json::from_str::<serde_json::Value>(&content) {
+            found = Some((path, val));
+            break;
+          }
+        }
+      }
+    }
+    match found {
+      Some(f) => f,
+      None => {
+        // Pick the first candidate directory that exists (or can be created)
+        let target_dir = distribution_dirs
+          .iter()
+          .find(|d| d.parent().is_some_and(|p| p.exists()))
+          .or(distribution_dirs.first())
+          .ok_or("No suitable distribution directory found")?;
+        std::fs::create_dir_all(target_dir)?;
+        (
+          target_dir.join("policies.json"),
+          serde_json::json!({"policies": {}}),
+        )
+      }
+    }
+  };
+
+  // Check if already configured
+  let has_ddg_default = policies
+    .get("policies")
+    .and_then(|p| p.get("SearchEngines"))
+    .and_then(|se| se.get("Default"))
+    .and_then(|d| d.as_str())
+    == Some("DuckDuckGo");
+
+  let has_ddg_engine = policies
+    .get("policies")
+    .and_then(|p| p.get("SearchEngines"))
+    .and_then(|se| se.get("Add"))
+    .and_then(|a| a.as_array())
+    .is_some_and(|arr| {
+      arr
+        .iter()
+        .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
+    });
+
+  if has_ddg_default && has_ddg_engine {
+    return Ok(());
+  }
+
+  let ddg_engine = serde_json::json!({
+    "Name": "DuckDuckGo",
+    "URLTemplate": "https://duckduckgo.com/?q={searchTerms}",
+    "SuggestURLTemplate": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
+    "Method": "GET",
+    "IconURL": "https://duckduckgo.com/favicon.ico",
+    "Alias": "ddg"
+  });
+
+  // Ensure policies.SearchEngines exists
+  let policies_obj = policies
+    .as_object_mut()
+    .ok_or("Invalid policies.json")?
+    .entry("policies")
+    .or_insert(serde_json::json!({}));
+  let se = policies_obj
+    .as_object_mut()
+    .ok_or("Invalid policies object")?
+    .entry("SearchEngines")
+    .or_insert(serde_json::json!({}));
+
+  if let Some(se_obj) = se.as_object_mut() {
+    // Set DuckDuckGo as default
+    se_obj.insert(
+      "Default".to_string(),
+      serde_json::Value::String("DuckDuckGo".to_string()),
+    );
+
+    // Add DuckDuckGo engine definition if not present
+    let add_arr = se_obj
+      .entry("Add")
+      .or_insert(serde_json::json!([]))
+      .as_array_mut()
+      .ok_or("SearchEngines.Add is not an array")?;
+
+    // Remove fake "None" engine
+    add_arr.retain(|entry| entry.get("Name").and_then(|n| n.as_str()) != Some("None"));
+
+    // Add DuckDuckGo if not already present
+    if !add_arr
+      .iter()
+      .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
+    {
+      add_arr.push(ddg_engine);
+    }
+
+    // Ensure DuckDuckGo is not in the Remove list
+    if let Some(remove_arr) = se_obj.get_mut("Remove").and_then(|r| r.as_array_mut()) {
+      remove_arr.retain(|v| v.as_str() != Some("DuckDuckGo"));
+    }
+  }
+
+  let updated = serde_json::to_string_pretty(&policies)?;
+  std::fs::write(&policies_path, updated)?;
+  log::info!(
+    "Configured DuckDuckGo search engine in {}",
+    policies_path.display()
+  );
+
+  Ok(())
+}
+
 #[cfg(test)]
 mod tests {
  use super::*;
@@ -0,0 +1,328 @@
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::sync::Mutex;
+
+use crate::profile::BrowserProfile;
+
+lazy_static::lazy_static! {
+  static ref EPHEMERAL_DIRS: Mutex<HashMap<String, PathBuf>> = Mutex::new(HashMap::new());
+}
+
+/// Get or create the RAM-backed base directory for ephemeral profiles.
+/// Linux: /dev/shm (always tmpfs). macOS: RAM disk via hdiutil. Windows: imdisk RAM disk.
+fn get_ephemeral_base_dir() -> Result<PathBuf, String> {
+  #[cfg(target_os = "linux")]
+  {
+    let base = PathBuf::from("/dev/shm/donut-ephemeral");
+    std::fs::create_dir_all(&base)
+      .map_err(|e| format!("Failed to create ephemeral base in /dev/shm: {e}"))?;
+    Ok(base)
+  }
+
+  #[cfg(not(target_os = "linux"))]
+  {
+    #[cfg(target_os = "macos")]
+    {
+      if let Ok(mount) = get_or_create_macos_ramdisk() {
+        return Ok(mount);
+      }
+      log::warn!("Failed to create macOS RAM disk, ephemeral profiles may use disk");
+    }
+
+    #[cfg(target_os = "windows")]
+    {
+      if let Ok(mount) = get_or_create_windows_ramdisk() {
+        return Ok(mount);
+      }
+      log::warn!("Failed to create Windows RAM disk, ephemeral profiles may use disk");
+    }
+
+    // Fallback
+    let base = std::env::temp_dir().join("donut-ephemeral");
+    std::fs::create_dir_all(&base)
+      .map_err(|e| format!("Failed to create ephemeral base dir: {e}"))?;
+    Ok(base)
+  }
+}
+
+#[cfg(target_os = "macos")]
+fn get_or_create_macos_ramdisk() -> Result<PathBuf, String> {
+  let mount_point = PathBuf::from("/Volumes/DonutEphemeral");
+
+  // Reuse existing RAM disk from a previous session
+  if mount_point.exists() && mount_point.is_dir() {
+    return Ok(mount_point);
+  }
+
+  // 256 MB in 512-byte sectors
+  let sectors = 256 * 2048;
+  let output = std::process::Command::new("hdiutil")
+    .args(["attach", "-nomount", &format!("ram://{sectors}")])
+    .output()
+    .map_err(|e| format!("hdiutil attach failed: {e}"))?;
+
+  if !output.status.success() {
+    return Err(format!(
+      "hdiutil attach failed: {}",
+      String::from_utf8_lossy(&output.stderr)
+    ));
+  }
+
+  let dev = String::from_utf8_lossy(&output.stdout).trim().to_string();
+
+  let fmt = std::process::Command::new("diskutil")
+    .args(["erasevolume", "HFS+", "DonutEphemeral", &dev])
+    .output()
+    .map_err(|e| format!("diskutil erasevolume failed: {e}"))?;
+
+  if !fmt.status.success() {
+    let _ = std::process::Command::new("hdiutil")
+      .args(["detach", &dev])
+      .output();
+    return Err(format!(
+      "diskutil erasevolume failed: {}",
+      String::from_utf8_lossy(&fmt.stderr)
+    ));
+  }
+
+  log::info!("Created macOS RAM disk at {}", mount_point.display());
+  Ok(mount_point)
+}
+
+#[cfg(target_os = "windows")]
+fn get_or_create_windows_ramdisk() -> Result<PathBuf, String> {
+  // Check if a previous RAM disk with our directory already exists
+  for letter in ['R', 'Q', 'P', 'O'] {
+    let base = PathBuf::from(format!("{}:\\DonutEphemeral", letter));
+    if base.exists() && base.is_dir() {
+      return Ok(base);
+    }
+  }
+
+  // Try to create a RAM disk using imdisk (open-source RAM disk driver)
+  for letter in ['R', 'Q', 'P', 'O'] {
+    let drive = format!("{}:", letter);
+    if PathBuf::from(format!("{}\\", drive)).exists() {
+      continue;
+    }
+
+    let output = std::process::Command::new("imdisk")
+      .args(["-a", "-s", "256M", "-m", &drive, "-p", "/fs:ntfs /q /y"])
+      .output();
+
+    match output {
+      Ok(out) if out.status.success() => {
+        let base = PathBuf::from(format!("{}\\DonutEphemeral", drive));
+        std::fs::create_dir_all(&base)
+          .map_err(|e| format!("Failed to create dir on RAM disk: {e}"))?;
+        log::info!("Created Windows RAM disk at {}", base.display());
+        return Ok(base);
+      }
+      Ok(out) => {
+        log::debug!(
+          "imdisk failed for drive {}: {}",
+          drive,
+          String::from_utf8_lossy(&out.stderr)
+        );
+      }
+      Err(e) => {
+        return Err(format!("imdisk not available: {e}"));
+      }
+    }
+  }
+
+  Err("Could not create Windows RAM disk".to_string())
+}
+
+pub fn create_ephemeral_dir(profile_id: &str) -> Result<PathBuf, String> {
+  let base = get_ephemeral_base_dir()?;
+  let dir_path = base.join(profile_id);
+
+  std::fs::create_dir_all(&dir_path).map_err(|e| format!("Failed to create ephemeral dir: {e}"))?;
+
+  EPHEMERAL_DIRS
+    .lock()
+    .map_err(|e| format!("Failed to lock ephemeral dirs: {e}"))?
+    .insert(profile_id.to_string(), dir_path.clone());
+
+  log::info!(
+    "Created ephemeral dir for profile {}: {}",
+    profile_id,
+    dir_path.display()
+  );
+
+  Ok(dir_path)
+}
+
+pub fn get_ephemeral_dir(profile_id: &str) -> Option<PathBuf> {
+  EPHEMERAL_DIRS.lock().ok()?.get(profile_id).cloned()
+}
+
+pub fn remove_ephemeral_dir(profile_id: &str) {
+  let dir = EPHEMERAL_DIRS
+    .lock()
+    .ok()
+    .and_then(|mut map| map.remove(profile_id));
+
+  if let Some(dir_path) = dir {
+    if dir_path.exists() {
+      if let Err(e) = std::fs::remove_dir_all(&dir_path) {
+        log::warn!("Failed to remove ephemeral dir {}: {e}", dir_path.display());
+      } else {
+        log::info!(
+          "Removed ephemeral dir for profile {}: {}",
+          profile_id,
+          dir_path.display()
+        );
+      }
+    }
+  }
+}
+
+/// Recover ephemeral dir mappings on startup by scanning the RAM-backed base dir.
+/// Dir names are profile UUIDs, so we re-populate the in-memory HashMap.
+/// Also cleans up old disk-based dirs from previous versions.
+pub fn recover_ephemeral_dirs() {
+  cleanup_legacy_dirs();
+
+  let base = match get_ephemeral_base_dir() {
+    Ok(base) => base,
+    Err(e) => {
+      log::warn!("Cannot recover ephemeral dirs: {e}");
+      return;
+    }
+  };
+
+  let entries = match std::fs::read_dir(&base) {
+    Ok(entries) => entries,
+    Err(_) => return,
+  };
+
+  let mut dirs = match EPHEMERAL_DIRS.lock() {
+    Ok(dirs) => dirs,
+    Err(_) => return,
+  };
+
+  for entry in entries.flatten() {
+    if entry.path().is_dir() {
+      if let Some(name) = entry.file_name().to_str() {
+        if uuid::Uuid::parse_str(name).is_ok() {
+          dirs.insert(name.to_string(), entry.path());
+          log::info!("Recovered ephemeral dir for profile {}", name);
+        }
+      }
+    }
+  }
+}
+
+/// Remove old-format ephemeral dirs from /tmp (pre-tmpfs migration).
+fn cleanup_legacy_dirs() {
+  let temp_dir = std::env::temp_dir();
+  let entries = match std::fs::read_dir(&temp_dir) {
+    Ok(entries) => entries,
+    Err(_) => return,
+  };
+
+  for entry in entries.flatten() {
+    if let Some(name) = entry.file_name().to_str() {
+      if name.starts_with("donut-ephemeral-") && entry.path().is_dir() {
+        if let Err(e) = std::fs::remove_dir_all(entry.path()) {
+          log::warn!("Failed to clean up legacy ephemeral dir: {e}");
+        } else {
+          log::info!(
+            "Cleaned up legacy ephemeral dir: {}",
+            entry.path().display()
+          );
+        }
+      }
+    }
+  }
+}
+
+pub fn get_effective_profile_path(profile: &BrowserProfile, profiles_dir: &Path) -> PathBuf {
+  if profile.ephemeral {
+    if let Some(dir) = get_ephemeral_dir(&profile.id.to_string()) {
+      return dir;
+    }
+  }
+  profile.get_profile_data_path(profiles_dir)
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  fn make_test_profile(id: uuid::Uuid, ephemeral: bool) -> BrowserProfile {
+    BrowserProfile {
+      id,
+      name: "test".to_string(),
+      browser: "camoufox".to_string(),
+      version: "1.0".to_string(),
+      proxy_id: None,
+      vpn_id: None,
+      process_id: None,
+      last_launch: None,
+      release_type: "stable".to_string(),
+      camoufox_config: None,
+      wayfern_config: None,
+      group_id: None,
+      tags: Vec::new(),
+      note: None,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
+      last_sync: None,
+      host_os: None,
+      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
+    }
+  }
+
+  #[test]
+  fn test_ephemeral_dir_lifecycle() {
+    let profile_id = uuid::Uuid::new_v4();
+    let id_str = profile_id.to_string();
+
+    let dir = create_ephemeral_dir(&id_str).unwrap();
+    assert!(dir.is_dir());
+    assert_eq!(get_ephemeral_dir(&id_str), Some(dir.clone()));
+
+    let ephemeral_profile = make_test_profile(profile_id, true);
+    let profiles_dir = std::env::temp_dir().join("test_profiles_ephemeral");
+    assert_eq!(
+      get_effective_profile_path(&ephemeral_profile, &profiles_dir),
+      dir
+    );
+
+    remove_ephemeral_dir(&id_str);
+    assert!(!dir.exists());
+    assert!(get_ephemeral_dir(&id_str).is_none());
+
+    let persistent_profile = make_test_profile(uuid::Uuid::new_v4(), false);
+    let expected = persistent_profile.get_profile_data_path(&profiles_dir);
+    assert_eq!(
+      get_effective_profile_path(&persistent_profile, &profiles_dir),
+      expected
+    );
+  }
+
+  #[test]
+  fn test_recover_ephemeral_dirs() {
+    let base = get_ephemeral_base_dir().unwrap();
+    let test_id = uuid::Uuid::new_v4().to_string();
+    let test_dir = base.join(&test_id);
+    std::fs::create_dir_all(&test_dir).unwrap();
+
+    // Clear the HashMap so recovery has something to find
+    EPHEMERAL_DIRS.lock().unwrap().remove(&test_id);
+    assert!(get_ephemeral_dir(&test_id).is_none());
+
+    recover_ephemeral_dirs();
+    assert_eq!(get_ephemeral_dir(&test_id), Some(test_dir.clone()));
+
+    // Clean up
+    remove_ephemeral_dir(&test_id);
+  }
+}
@@ -593,7 +593,11 @@ impl Extractor {
      }
    }

-    log::info!("ZIP extraction completed. Searching for executable...");
+    log::info!("ZIP extraction completed.");
+
+    self.flatten_single_directory_archive(dest_dir)?;
+
+    log::info!("Searching for executable...");
    self
      .find_extracted_executable(dest_dir)
      .await
@@ -617,7 +621,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.gz extraction completed. Searching for executable...");
+    log::info!("tar.gz extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -638,7 +644,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.bz2 extraction completed. Searching for executable...");
+    log::info!("tar.bz2 extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -673,7 +681,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.xz extraction completed. Searching for executable...");
+    log::info!("tar.xz extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -691,7 +701,9 @@ impl Extractor {
      extractor.to(dest_dir);
    }

-    log::info!("MSI extraction completed. Searching for executable...");
+    log::info!("MSI extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -778,6 +790,80 @@ impl Extractor {
    self.find_extracted_executable(dest_dir).await
  }

+  fn flatten_single_directory_archive(
+    &self,
+    dest_dir: &Path,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let entries: Vec<_> = fs::read_dir(dest_dir)?.filter_map(|e| e.ok()).collect();
+
+    let archive_extensions = ["zip", "tar", "xz", "gz", "bz2", "dmg", "msi", "exe"];
+
+    let mut dirs = Vec::new();
+    let mut has_non_archive_files = false;
+
+    for entry in &entries {
+      let path = entry.path();
+      if path.is_dir() {
+        dirs.push(path);
+      } else if let Some(ext) = path.extension().and_then(|e| e.to_str()) {
+        if !archive_extensions.contains(&ext.to_lowercase().as_str()) {
+          has_non_archive_files = true;
+        }
+      } else {
+        has_non_archive_files = true;
+      }
+    }
+
+    if dirs.len() == 1 && !has_non_archive_files {
+      let single_dir = &dirs[0];
+
+      if single_dir.extension().is_some_and(|ext| ext == "app") {
+        log::info!(
+          "Skipping flatten: {} is a macOS app bundle",
+          single_dir.display()
+        );
+        return Ok(());
+      }
+
+      log::info!(
+        "Flattening single-directory archive: moving contents of {} to {}",
+        single_dir.display(),
+        dest_dir.display()
+      );
+
+      let inner_entries: Vec<_> = fs::read_dir(single_dir)?.filter_map(|e| e.ok()).collect();
+
+      for entry in inner_entries {
+        let source = entry.path();
+        let file_name = match source.file_name() {
+          Some(name) => name.to_owned(),
+          None => continue,
+        };
+        let target = dest_dir.join(&file_name);
+        fs::rename(&source, &target).map_err(|e| {
+          format!(
+            "Failed to move {} to {}: {}",
+            source.display(),
+            target.display(),
+            e
+          )
+        })?;
+      }
+
+      fs::remove_dir(single_dir).map_err(|e| {
+        format!(
+          "Failed to remove empty directory {}: {}",
+          single_dir.display(),
+          e
+        )
+      })?;
+
+      log::info!("Successfully flattened archive directory structure");
+    }
+
+    Ok(())
+  }
+
  async fn find_extracted_executable(
    &self,
    dest_dir: &Path,
@@ -76,21 +76,39 @@ impl GeoIPDownloader {
      false
    }
  }
-  /// Check if GeoIP database is missing for Camoufox profiles
+
+  fn get_timestamp_path() -> PathBuf {
+    crate::app_dirs::cache_dir().join("geoip_last_download")
+  }
+
+  fn is_geoip_stale() -> bool {
+    let timestamp_path = Self::get_timestamp_path();
+    let Ok(content) = std::fs::read_to_string(&timestamp_path) else {
+      return true;
+    };
+    let Ok(timestamp) = content.trim().parse::<u64>() else {
+      return true;
+    };
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap_or_default()
+      .as_secs();
+    const SEVEN_DAYS: u64 = 7 * 24 * 60 * 60;
+    now.saturating_sub(timestamp) > SEVEN_DAYS
+  }
+
+  /// Check if GeoIP database is missing or stale for Camoufox profiles
  pub fn check_missing_geoip_database(
    &self,
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
-    // Get all profiles
    let profiles = ProfileManager::instance()
      .list_profiles()
      .map_err(|e| format!("Failed to list profiles: {e}"))?;

-    // Check if there are any Camoufox profiles
    let has_camoufox_profiles = profiles.iter().any(|profile| profile.browser == "camoufox");

    if has_camoufox_profiles {
-      // Check if GeoIP database is available
-      return Ok(!Self::is_geoip_database_available());
+      return Ok(!Self::is_geoip_database_available() || Self::is_geoip_stale());
    }

    Ok(false)
@@ -201,6 +219,17 @@ impl GeoIPDownloader {

    file.flush().await?;

+    // Write download timestamp
+    let timestamp_path = Self::get_timestamp_path();
+    if let Some(parent) = timestamp_path.parent() {
+      let _ = fs::create_dir_all(parent).await;
+    }
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap_or_default()
+      .as_secs();
+    let _ = fs::write(&timestamp_path, now.to_string()).await;
+
    // Emit completion
    let _ = events::emit(
      "geoip-download-progress",
@@ -362,6 +391,31 @@ mod tests {
    assert!(path.to_string_lossy().ends_with("GeoLite2-City.mmdb"));
  }

+  #[test]
+  fn test_is_geoip_stale() {
+    let tmp = tempfile::TempDir::new().unwrap();
+    let _guard = crate::app_dirs::set_test_cache_dir(tmp.path().to_path_buf());
+
+    // No timestamp file → stale
+    assert!(GeoIPDownloader::is_geoip_stale());
+
+    let timestamp_path = GeoIPDownloader::get_timestamp_path();
+    std::fs::create_dir_all(timestamp_path.parent().unwrap()).unwrap();
+
+    // Recent timestamp → not stale
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs();
+    std::fs::write(&timestamp_path, now.to_string()).unwrap();
+    assert!(!GeoIPDownloader::is_geoip_stale());
+
+    // 8 days ago → stale
+    let eight_days_ago = now - 8 * 24 * 60 * 60;
+    std::fs::write(&timestamp_path, eight_days_ago.to_string()).unwrap();
+    assert!(GeoIPDownloader::is_geoip_stale());
+  }
+
  #[test]
  fn test_is_geoip_database_available() {
    // Test that the function works correctly regardless of file system state.
@@ -1,8 +1,6 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
-use std::path::{Path, PathBuf};
 use std::sync::Mutex;

 use crate::events;
@@ -33,48 +31,15 @@ struct GroupsData {
  groups: Vec<ProfileGroup>,
 }

-pub struct GroupManager {
-  base_dirs: BaseDirs,
-  data_dir_override: Option<PathBuf>,
-}
+pub struct GroupManager;

 impl GroupManager {
  pub fn new() -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: std::env::var("DONUTBROWSER_DATA_DIR")
-        .ok()
-        .map(PathBuf::from),
-    }
+    Self
  }

-  // Helper for tests to override data directory without global env var
-  #[allow(dead_code)]
-  pub fn with_data_dir_override(dir: &Path) -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: Some(dir.to_path_buf()),
-    }
-  }
-
-  fn get_groups_file_path(&self) -> PathBuf {
-    if let Some(dir) = &self.data_dir_override {
-      let mut override_path = dir.clone();
-      // Ensure the directory exists before returning the path
-      let _ = fs::create_dir_all(&override_path);
-      override_path.push("groups.json");
-      return override_path;
-    }
-
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("data");
-    path.push("groups.json");
-    path
+  fn get_groups_file_path(&self) -> std::path::PathBuf {
+    crate::app_dirs::data_subdir().join("groups.json")
  }

  fn load_groups_data(&self) -> Result<GroupsData, Box<dyn std::error::Error>> {
@@ -119,10 +84,11 @@ impl GroupManager {
      return Err(format!("Group with name '{name}' already exists").into());
    }

+    let sync_enabled = crate::sync::is_sync_configured();
    let group = ProfileGroup {
      id: uuid::Uuid::new_v4().to_string(),
      name,
-      sync_enabled: false,
+      sync_enabled,
      last_sync: None,
    };

@@ -134,6 +100,15 @@ impl GroupManager {
      log::error!("Failed to emit groups-changed event: {e}");
    }

+    if group.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = group.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_group_sync(id).await;
+        });
+      }
+    }
+
    Ok(group)
  }

@@ -170,6 +145,15 @@ impl GroupManager {
      log::error!("Failed to emit groups-changed event: {e}");
    }

+    if updated_group.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = updated_group.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_group_sync(id).await;
+        });
+      }
+    }
+
    Ok(updated_group)
  }

@@ -207,6 +191,17 @@ impl GroupManager {
    Ok(())
  }

+  pub fn delete_group_internal(&self, id: &str) -> Result<(), Box<dyn std::error::Error>> {
+    let mut groups_data = self.load_groups_data()?;
+    let initial_len = groups_data.groups.len();
+    groups_data.groups.retain(|g| g.id != id);
+    if groups_data.groups.len() == initial_len {
+      return Err(format!("Group with id '{id}' not found").into());
+    }
+    self.save_groups_data(&groups_data)?;
+    Ok(())
+  }
+
  pub fn delete_group(
    &self,
    app_handle: &tauri::AppHandle,
@@ -11,6 +11,7 @@ static PENDING_URLS: Mutex<Vec<String>> = Mutex::new(Vec::new());
 mod api_client;
 mod api_server;
 mod app_auto_updater;
+pub mod app_dirs;
 mod auto_updater;
 mod browser;
 mod browser_runner;
@@ -20,6 +21,8 @@ mod camoufox_manager;
 mod default_browser;
 mod downloaded_browsers_registry;
 mod downloader;
+mod ephemeral_dirs;
+mod extension_manager;
 mod extraction;
 mod geoip_downloader;
 mod group_manager;
@@ -47,8 +50,11 @@ pub mod daemon_ws;
 pub mod events;
 mod mcp_server;
 mod tag_manager;
+mod team_lock;
 mod version_updater;
 pub mod vpn;
+pub mod vpn_worker_runner;
+pub mod vpn_worker_storage;

 use browser_runner::{
  check_browser_exists, kill_browser_profile, launch_browser_profile, open_url_with_profile,
@@ -57,7 +63,8 @@ use browser_runner::{
 use profile::manager::{
  check_browser_status, clone_profile, create_browser_profile_new, delete_profile,
  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_note,
-  update_profile_proxy, update_profile_tags, update_wayfern_config,
+  update_profile_proxy, update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
+  update_wayfern_config,
 };

 use browser_version_manager::{
@@ -74,14 +81,18 @@ use downloaded_browsers_registry::{
 use downloader::{cancel_download, download_browser};

 use settings_manager::{
-  decline_launch_on_login, enable_launch_on_login, get_app_settings, get_sync_settings,
-  get_system_language, get_table_sorting_settings, save_app_settings, save_sync_settings,
+  decline_launch_on_login, dismiss_window_resize_warning, enable_launch_on_login, get_app_settings,
+  get_sync_settings, get_system_language, get_table_sorting_settings,
+  get_window_resize_warning_dismissed, save_app_settings, save_sync_settings,
  save_table_sorting_settings, should_show_launch_on_login_prompt,
 };

 use sync::{
-  is_group_in_use_by_synced_profile, is_proxy_in_use_by_synced_profile, request_profile_sync,
-  set_group_sync_enabled, set_profile_sync_enabled, set_proxy_sync_enabled,
+  check_has_e2e_password, delete_e2e_password, enable_sync_for_all_entities,
+  get_unsynced_entity_counts, is_group_in_use_by_synced_profile, is_proxy_in_use_by_synced_profile,
+  is_vpn_in_use_by_synced_profile, request_profile_sync, set_e2e_password,
+  set_extension_group_sync_enabled, set_extension_sync_enabled, set_group_sync_enabled,
+  set_profile_sync_mode, set_proxy_sync_enabled, set_vpn_sync_enabled,
 };

 use tag_manager::get_all_tags;
@@ -104,6 +115,12 @@ use app_auto_updater::{

 use profile_importer::{detect_existing_profiles, import_browser_profile};

+use extension_manager::{
+  add_extension, add_extension_to_group, assign_extension_group_to_profile, create_extension_group,
+  delete_extension, delete_extension_group, get_extension_group_for_profile, list_extension_groups,
+  list_extensions, remove_extension_from_group, update_extension, update_extension_group,
+};
+
 use group_manager::{
  assign_profiles_to_group, create_profile_group, delete_profile_group, delete_selected_profiles,
  get_groups_with_profile_counts, get_profile_groups, update_profile_group,
@@ -280,9 +297,41 @@ async fn copy_profile_cookies(
  app_handle: tauri::AppHandle,
  request: cookie_manager::CookieCopyRequest,
 ) -> Result<Vec<cookie_manager::CookieCopyResult>, String> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err("Cookie copying requires an active Pro subscription".to_string());
+  }
  cookie_manager::CookieManager::copy_cookies(&app_handle, request).await
 }

+#[tauri::command]
+async fn import_cookies_from_file(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  content: String,
+) -> Result<cookie_manager::CookieImportResult, String> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err("Cookie import requires an active Pro subscription".to_string());
+  }
+  cookie_manager::CookieManager::import_cookies(&app_handle, &profile_id, &content).await
+}
+
+#[tauri::command]
+async fn export_profile_cookies(profile_id: String, format: String) -> Result<String, String> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err("Cookie export requires an active Pro subscription".to_string());
+  }
+  cookie_manager::CookieManager::export_cookies(&profile_id, &format)
+}
+
 #[tauri::command]
 fn check_wayfern_terms_accepted() -> bool {
  wayfern_terms::WayfernTermsManager::instance().is_terms_accepted()
@@ -429,13 +478,23 @@ async fn import_vpn_config(
    .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;

  match storage.import_config(&content, &filename, name.clone()) {
-    Ok(config) => Ok(vpn::VpnImportResult {
-      success: true,
-      vpn_id: Some(config.id),
-      vpn_type: Some(config.vpn_type),
-      name: config.name,
-      error: None,
-    }),
+    Ok(config) => {
+      if config.sync_enabled {
+        if let Some(scheduler) = sync::get_global_scheduler() {
+          let id = config.id.clone();
+          tauri::async_runtime::spawn(async move {
+            scheduler.queue_vpn_sync(id).await;
+          });
+        }
+      }
+      Ok(vpn::VpnImportResult {
+        success: true,
+        vpn_id: Some(config.id),
+        vpn_type: Some(config.vpn_type),
+        name: config.name,
+        error: None,
+      })
+    }
    Err(e) => Ok(vpn::VpnImportResult {
      success: false,
      vpn_id: None,
@@ -469,69 +528,168 @@ async fn get_vpn_config(vpn_id: String) -> Result<vpn::VpnConfig, String> {
 }

 #[tauri::command]
-async fn delete_vpn_config(vpn_id: String) -> Result<(), String> {
-  // First disconnect if connected
+async fn delete_vpn_config(app_handle: tauri::AppHandle, vpn_id: String) -> Result<(), String> {
+  // First disconnect if connected (stop VPN worker)
+  let _ = vpn_worker_runner::stop_vpn_worker_by_vpn_id(&vpn_id).await;
+
+  // Check if sync was enabled before deleting
+  let was_sync_enabled = {
+    let storage = vpn::VPN_STORAGE
+      .lock()
+      .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;
+    storage
+      .load_config(&vpn_id)
+      .map(|c| c.sync_enabled)
+      .unwrap_or(false)
+  };
+
+  // Delete from storage
  {
-    let mut manager = vpn::TUNNEL_MANAGER.lock().await;
-    if manager.is_tunnel_active(&vpn_id) {
-      if let Some(tunnel) = manager.get_tunnel_mut(&vpn_id) {
-        let _ = tunnel.disconnect().await;
-      }
-      manager.remove_tunnel(&vpn_id);
-    }
+    let storage = vpn::VPN_STORAGE
+      .lock()
+      .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;
+
+    storage
+      .delete_config(&vpn_id)
+      .map_err(|e| format!("Failed to delete VPN config: {e}"))?;
  }

-  // Then delete from storage
-  let storage = vpn::VPN_STORAGE
-    .lock()
-    .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;
+  // If sync was enabled, also delete from remote
+  if was_sync_enabled {
+    let vpn_id_clone = vpn_id.clone();
+    let app_handle_clone = app_handle.clone();
+    tauri::async_runtime::spawn(async move {
+      match sync::SyncEngine::create_from_settings(&app_handle_clone).await {
+        Ok(engine) => {
+          if let Err(e) = engine.delete_vpn(&vpn_id_clone).await {
+            log::warn!("Failed to delete VPN {} from sync: {}", vpn_id_clone, e);
+          } else {
+            log::info!("VPN {} deleted from sync storage", vpn_id_clone);
+          }
+        }
+        Err(e) => {
+          log::debug!("Sync not configured, skipping remote VPN deletion: {}", e);
+        }
+      }
+    });
+  }

-  storage
-    .delete_config(&vpn_id)
-    .map_err(|e| format!("Failed to delete VPN config: {e}"))
+  let _ = events::emit("vpn-configs-changed", ());
+
+  Ok(())
 }

 #[tauri::command]
-async fn connect_vpn(vpn_id: String) -> Result<(), String> {
-  // Load config from storage
+async fn create_vpn_config_manual(
+  name: String,
+  vpn_type: vpn::VpnType,
+  config_data: String,
+) -> Result<vpn::VpnConfig, String> {
  let config = {
    let storage = vpn::VPN_STORAGE
      .lock()
      .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;

    storage
-      .load_config(&vpn_id)
-      .map_err(|e| format!("Failed to load VPN config: {e}"))?
+      .create_config_manual(&name, vpn_type, &config_data)
+      .map_err(|e| format!("Failed to create VPN config: {e}"))?
  };

-  // Create and connect the appropriate tunnel
-  let mut manager = vpn::TUNNEL_MANAGER.lock().await;
-
-  // Check if already connected
-  if manager.is_tunnel_active(&vpn_id) {
-    return Ok(());
+  if config.sync_enabled {
+    if let Some(scheduler) = sync::get_global_scheduler() {
+      let id = config.id.clone();
+      tauri::async_runtime::spawn(async move {
+        scheduler.queue_vpn_sync(id).await;
+      });
+    }
  }

-  let mut tunnel: Box<dyn vpn::VpnTunnel> = match config.vpn_type {
-    vpn::VpnType::WireGuard => {
-      let wg_config = vpn::parse_wireguard_config(&config.config_data)
-        .map_err(|e| format!("Invalid WireGuard config: {e}"))?;
-      Box::new(vpn::WireGuardTunnel::new(vpn_id.clone(), wg_config))
+  Ok(config)
+}
+
+#[tauri::command]
+async fn update_vpn_config(vpn_id: String, name: String) -> Result<vpn::VpnConfig, String> {
+  let config = {
+    let storage = vpn::VPN_STORAGE
+      .lock()
+      .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;
+
+    storage
+      .update_config_name(&vpn_id, &name)
+      .map_err(|e| format!("Failed to update VPN config: {e}"))?
+  };
+
+  if config.sync_enabled {
+    if let Some(scheduler) = sync::get_global_scheduler() {
+      let id = config.id.clone();
+      tauri::async_runtime::spawn(async move {
+        scheduler.queue_vpn_sync(id).await;
+      });
    }
-    vpn::VpnType::OpenVPN => {
-      let ovpn_config = vpn::parse_openvpn_config(&config.config_data)
-        .map_err(|e| format!("Invalid OpenVPN config: {e}"))?;
-      Box::new(vpn::OpenVpnTunnel::new(vpn_id.clone(), ovpn_config))
+  }
+
+  Ok(config)
+}
+
+#[tauri::command]
+async fn check_vpn_validity(
+  vpn_id: String,
+) -> Result<crate::proxy_manager::ProxyCheckResult, String> {
+  let now = std::time::SystemTime::now()
+    .duration_since(std::time::UNIX_EPOCH)
+    .unwrap_or_default()
+    .as_secs();
+
+  // Start a temporary VPN worker to send real traffic
+  let vpn_worker = vpn_worker_runner::start_vpn_worker(&vpn_id)
+    .await
+    .map_err(|e| format!("Failed to start VPN worker: {e}"))?;
+
+  let socks_url = format!("socks5://127.0.0.1:{}", vpn_worker.local_port.unwrap_or(0));
+
+  // Fetch public IP through the VPN SOCKS5 proxy
+  let result = match ip_utils::fetch_public_ip(Some(&socks_url)).await {
+    Ok(ip) => {
+      let (city, country, country_code) =
+        crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
+          .await
+          .unwrap_or_default();
+
+      crate::proxy_manager::ProxyCheckResult {
+        ip,
+        city,
+        country,
+        country_code,
+        timestamp: now,
+        is_valid: true,
+      }
+    }
+    Err(e) => {
+      log::warn!("VPN check failed to fetch public IP: {e}");
+      crate::proxy_manager::ProxyCheckResult {
+        ip: String::new(),
+        city: None,
+        country: None,
+        country_code: None,
+        timestamp: now,
+        is_valid: false,
+      }
    }
  };

-  tunnel
-    .connect()
+  // Stop the temporary VPN worker
+  let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+
+  Ok(result)
+}
+
+#[tauri::command]
+async fn connect_vpn(vpn_id: String) -> Result<(), String> {
+  // Start VPN worker process (detached, survives GUI shutdown)
+  vpn_worker_runner::start_vpn_worker(&vpn_id)
    .await
    .map_err(|e| format!("Failed to connect VPN: {e}"))?;

-  manager.register_tunnel(vpn_id.clone(), tunnel);
-
  // Update last_used timestamp
  {
    let storage = vpn::VPN_STORAGE
@@ -545,27 +703,27 @@ async fn connect_vpn(vpn_id: String) -> Result<(), String> {

 #[tauri::command]
 async fn disconnect_vpn(vpn_id: String) -> Result<(), String> {
-  let mut manager = vpn::TUNNEL_MANAGER.lock().await;
-
-  if let Some(tunnel) = manager.get_tunnel_mut(&vpn_id) {
-    tunnel
-      .disconnect()
-      .await
-      .map_err(|e| format!("Failed to disconnect VPN: {e}"))?;
-  }
-
-  manager.remove_tunnel(&vpn_id);
+  vpn_worker_runner::stop_vpn_worker_by_vpn_id(&vpn_id)
+    .await
+    .map_err(|e| format!("Failed to disconnect VPN: {e}"))?;
  Ok(())
 }

 #[tauri::command]
 async fn get_vpn_status(vpn_id: String) -> Result<vpn::VpnStatus, String> {
-  let manager = vpn::TUNNEL_MANAGER.lock().await;
+  use crate::proxy_storage::is_process_running;

-  if let Some(tunnel) = manager.get_tunnel(&vpn_id) {
-    Ok(tunnel.get_status())
+  if let Some(worker) = vpn_worker_storage::find_vpn_worker_by_vpn_id(&vpn_id) {
+    let connected = worker.pid.map(is_process_running).unwrap_or(false);
+    Ok(vpn::VpnStatus {
+      connected,
+      vpn_id,
+      connected_at: None,
+      bytes_sent: None,
+      bytes_received: None,
+      last_handshake: None,
+    })
  } else {
-    // Not connected
    Ok(vpn::VpnStatus {
      connected: false,
      vpn_id,
@@ -579,8 +737,23 @@ async fn get_vpn_status(vpn_id: String) -> Result<vpn::VpnStatus, String> {

 #[tauri::command]
 async fn list_active_vpn_connections() -> Result<Vec<vpn::VpnStatus>, String> {
-  let manager = vpn::TUNNEL_MANAGER.lock().await;
-  Ok(manager.get_all_statuses())
+  use crate::proxy_storage::is_process_running;
+
+  let workers = vpn_worker_storage::list_vpn_worker_configs();
+  Ok(
+    workers
+      .into_iter()
+      .filter(|w| w.pid.map(is_process_running).unwrap_or(false))
+      .map(|w| vpn::VpnStatus {
+        connected: true,
+        vpn_id: w.vpn_id,
+        connected_at: None,
+        bytes_sent: None,
+        bytes_received: None,
+        last_handshake: None,
+      })
+      .collect(),
+  )
 }

 #[cfg_attr(mobile, tauri::mobile_entry_point)]
@@ -594,12 +767,7 @@ pub fn run() {
    pending.push(url.clone());
  }

-  // Configure logging plugin with separate logs for dev and production
-  let log_file_name = if cfg!(debug_assertions) {
-    "DonutBrowserDev"
-  } else {
-    "DonutBrowser"
-  };
+  let log_file_name = app_dirs::app_name();

  tauri::Builder::default()
    .plugin(
@@ -630,9 +798,16 @@ pub fn run() {
        })
        .build(),
    )
-    .plugin(tauri_plugin_single_instance::init(|_, args, _cwd| {
-      log::info!("Single instance triggered with args: {args:?}");
-    }))
+    .plugin(tauri_plugin_single_instance::init(
+      |app_handle, args, _cwd| {
+        log::info!("Single instance triggered with args: {args:?}");
+        if let Some(window) = app_handle.get_webview_window("main") {
+          let _ = window.show();
+          let _ = window.set_focus();
+          let _ = window.unminimize();
+        }
+      },
+    ))
    .plugin(tauri_plugin_deep_link::init())
    .plugin(tauri_plugin_fs::init())
    .plugin(tauri_plugin_opener::init())
@@ -640,11 +815,42 @@ pub fn run() {
    .plugin(tauri_plugin_dialog::init())
    .plugin(tauri_plugin_macos_permissions::init())
    .setup(|app| {
+      // Recover ephemeral dir mappings from RAM-backed storage (tmpfs/ramdisk)
+      ephemeral_dirs::recover_ephemeral_dirs();
+
      // Start the daemon for tray icon
      if let Err(e) = daemon_spawn::ensure_daemon_running() {
        log::warn!("Failed to start daemon: {e}");
      }

+      // Register this GUI's PID in daemon state so the daemon can kill us directly
+      daemon_spawn::register_gui_pid();
+
+      // Monitor daemon health - quit GUI if daemon dies
+      tauri::async_runtime::spawn(async move {
+        // Give the daemon time to fully start
+        tokio::time::sleep(tokio::time::Duration::from_secs(3)).await;
+
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(1));
+        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+
+        loop {
+          interval.tick().await;
+
+          let is_running = tokio::task::spawn_blocking(daemon_spawn::is_daemon_running)
+            .await
+            .unwrap_or(false);
+
+          if !is_running {
+            log::warn!("Daemon is no longer running, quitting GUI immediately");
+            // Use process::exit for immediate termination. Tauri's exit()
+            // triggers a slow graceful shutdown that can take over a minute
+            // waiting for async tasks (sync, version updater, etc.) to finish.
+            std::process::exit(0);
+          }
+        }
+      });
+
      // Create the main window programmatically
      #[allow(unused_variables)]
      let win_builder = WebviewWindowBuilder::new(app, "main", WebviewUrl::default())
@@ -810,29 +1016,31 @@ pub fn run() {
        }
      });

-      let _app_handle_update = app.handle().clone();
      tauri::async_runtime::spawn(async move {
-        log::info!("Starting app update check at startup...");
        let updater = app_auto_updater::AppAutoUpdater::instance();
-        match updater.check_for_updates().await {
-          Ok(Some(update_info)) => {
-            log::info!(
-              "App update available: {} -> {}",
-              update_info.current_version,
-              update_info.new_version
-            );
-            // Emit update available event to the frontend
-            if let Err(e) = events::emit("app-update-available", &update_info) {
-              log::error!("Failed to emit app update event: {e}");
-            } else {
-              log::debug!("App update event emitted successfully");
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(3 * 60 * 60));
+
+        loop {
+          interval.tick().await;
+
+          log::info!("Checking for app updates...");
+          match updater.check_for_updates().await {
+            Ok(Some(update_info)) => {
+              log::info!(
+                "App update available: {} -> {}",
+                update_info.current_version,
+                update_info.new_version
+              );
+              if let Err(e) = events::emit("app-update-available", &update_info) {
+                log::error!("Failed to emit app update event: {e}");
+              }
+            }
+            Ok(None) => {
+              log::debug!("No app updates available");
+            }
+            Err(e) => {
+              log::error!("Failed to check for app updates: {e}");
            }
-          }
-          Ok(None) => {
-            log::debug!("No app updates available");
-          }
-          Err(e) => {
-            log::error!("Failed to check for app updates: {e}");
          }
        }
      });
@@ -1075,6 +1283,12 @@ pub fn run() {
              {
                log::warn!("Failed to check for missing profiles: {}", e);
              }
+              if let Err(e) = engine
+                .check_for_missing_synced_entities(&app_handle_sync)
+                .await
+              {
+                log::warn!("Failed to check for missing entities: {}", e);
+              }
            }
            Err(e) => {
              log::debug!("Sync not configured, skipping missing profile check: {}", e);
@@ -1124,8 +1338,10 @@ pub fn run() {
      get_all_tags,
      get_browser_release_types,
      update_profile_proxy,
+      update_profile_vpn,
      update_profile_tags,
      update_profile_note,
+      update_profile_proxy_bypass_rules,
      check_browser_status,
      kill_browser_profile,
      rename_profile,
@@ -1137,6 +1353,8 @@ pub fn run() {
      get_table_sorting_settings,
      save_table_sorting_settings,
      get_system_language,
+      dismiss_window_resize_warning,
+      get_window_resize_warning_dismissed,
      clear_all_version_cache_and_refetch,
      is_default_browser,
      open_url_with_profile,
@@ -1175,6 +1393,18 @@ pub fn run() {
      delete_profile_group,
      assign_profiles_to_group,
      delete_selected_profiles,
+      list_extensions,
+      add_extension,
+      update_extension,
+      delete_extension,
+      list_extension_groups,
+      create_extension_group,
+      update_extension_group,
+      delete_extension_group,
+      add_extension_to_group,
+      remove_extension_from_group,
+      assign_extension_group_to_profile,
+      get_extension_group_for_profile,
      is_geoip_database_available,
      download_geoip_database,
      start_api_server,
@@ -1185,14 +1415,25 @@ pub fn run() {
      get_traffic_stats_for_period,
      get_sync_settings,
      save_sync_settings,
-      set_profile_sync_enabled,
+      set_profile_sync_mode,
      request_profile_sync,
      set_proxy_sync_enabled,
      set_group_sync_enabled,
      is_proxy_in_use_by_synced_profile,
      is_group_in_use_by_synced_profile,
+      set_vpn_sync_enabled,
+      is_vpn_in_use_by_synced_profile,
+      set_extension_sync_enabled,
+      set_extension_group_sync_enabled,
+      get_unsynced_entity_counts,
+      enable_sync_for_all_entities,
+      set_e2e_password,
+      check_has_e2e_password,
+      delete_e2e_password,
      read_profile_cookies,
      copy_profile_cookies,
+      import_cookies_from_file,
+      export_profile_cookies,
      check_wayfern_terms_accepted,
      check_wayfern_downloaded,
      accept_wayfern_terms,
@@ -1208,6 +1449,9 @@ pub fn run() {
      list_vpn_configs,
      get_vpn_config,
      delete_vpn_config,
+      create_vpn_config_manual,
+      update_vpn_config,
+      check_vpn_validity,
      connect_vpn,
      disconnect_vpn,
      get_vpn_status,
@@ -1223,10 +1467,23 @@ pub fn run() {
      cloud_auth::cloud_get_states,
      cloud_auth::cloud_get_cities,
      cloud_auth::create_cloud_location_proxy,
-      cloud_auth::restart_sync_service
+      cloud_auth::restart_sync_service,
+      // Team lock commands
+      team_lock::get_team_locks,
+      team_lock::get_team_lock_status,
    ])
-    .run(tauri::generate_context!())
-    .expect("error while running tauri application");
+    .build(tauri::generate_context!())
+    .expect("error while building tauri application")
+    .run(|_app_handle, _event| {
+      #[cfg(target_os = "macos")]
+      if let tauri::RunEvent::Reopen { .. } = _event {
+        if let Some(window) = _app_handle.get_webview_window("main") {
+          let _ = window.show();
+          let _ = window.set_focus();
+          let _ = window.unminimize();
+        }
+      }
+    });
 }

 #[cfg(test)]
@@ -1247,13 +1504,16 @@ mod tests {
    // Commands that are intentionally not used in the frontend
    // but are used via MCP server or other programmatic APIs
    let mcp_only_commands = [
-      "list_vpn_configs",
-      "get_vpn_config",
-      "delete_vpn_config",
      "connect_vpn",
      "disconnect_vpn",
      "get_vpn_status",
+      "get_vpn_config",
      "list_active_vpn_connections",
+      "export_profile_cookies",
+      "update_extension",
+      "set_extension_sync_enabled",
+      "set_extension_group_sync_enabled",
+      "get_team_lock_status",
    ];

    // Extract command names from the generate_handler! macro in this file
@@ -18,6 +18,7 @@ use tokio::net::TcpListener;
 use tokio::sync::Mutex as AsyncMutex;

 use crate::browser::ProxySettings;
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::group_manager::GROUP_MANAGER;
 use crate::profile::{BrowserProfile, ProfileManager};
 use crate::proxy_manager::PROXY_MANAGER;
@@ -679,6 +680,159 @@ impl McpServer {
          "required": ["vpn_id"]
        }),
      },
+      // Fingerprint management tools
+      McpTool {
+        name: "get_profile_fingerprint".to_string(),
+        description: "Get the fingerprint configuration for a Wayfern or Camoufox profile"
+          .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile"
+            }
+          },
+          "required": ["profile_id"]
+        }),
+      },
+      McpTool {
+        name: "update_profile_fingerprint".to_string(),
+        description:
+          "Update the fingerprint configuration for a Wayfern or Camoufox profile. Requires an active Pro subscription."
+            .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to update"
+            },
+            "fingerprint": {
+              "type": "string",
+              "description": "JSON string of the fingerprint configuration, or null to clear"
+            },
+            "os": {
+              "type": "string",
+              "enum": ["windows", "macos", "linux"],
+              "description": "Operating system for fingerprint generation"
+            },
+            "randomize_fingerprint_on_launch": {
+              "type": "boolean",
+              "description": "Whether to generate a new fingerprint on every launch"
+            }
+          },
+          "required": ["profile_id"]
+        }),
+      },
+      McpTool {
+        name: "update_profile_proxy_bypass_rules".to_string(),
+        description:
+          "Update proxy bypass rules for a profile. Requests matching these rules will connect directly, bypassing the proxy."
+            .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to update"
+            },
+            "rules": {
+              "type": "array",
+              "items": { "type": "string" },
+              "description": "Array of bypass rules. Supports hostnames (e.g. 'example.com'), IP addresses, and regex patterns."
+            }
+          },
+          "required": ["profile_id", "rules"]
+        }),
+      },
+      McpTool {
+        name: "list_extensions".to_string(),
+        description: "List all managed browser extensions. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "list_extension_groups".to_string(),
+        description: "List all extension groups. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "create_extension_group".to_string(),
+        description: "Create a new extension group. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "name": { "type": "string", "description": "Name for the extension group" }
+          },
+          "required": ["name"]
+        }),
+      },
+      McpTool {
+        name: "delete_extension".to_string(),
+        description: "Delete a managed extension. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "extension_id": { "type": "string", "description": "The extension ID to delete" }
+          },
+          "required": ["extension_id"]
+        }),
+      },
+      McpTool {
+        name: "delete_extension_group".to_string(),
+        description: "Delete an extension group. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "group_id": { "type": "string", "description": "The extension group ID to delete" }
+          },
+          "required": ["group_id"]
+        }),
+      },
+      McpTool {
+        name: "assign_extension_group_to_profile".to_string(),
+        description: "Assign an extension group to a profile, or remove the assignment. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": { "type": "string", "description": "The profile ID" },
+            "extension_group_id": { "type": "string", "description": "The extension group ID, or empty string to remove" }
+          },
+          "required": ["profile_id"]
+        }),
+      },
+      // Team lock tools
+      McpTool {
+        name: "get_team_locks".to_string(),
+        description: "List all active team profile locks. Requires team plan.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "get_team_lock_status".to_string(),
+        description: "Check if a profile is locked by a team member. Requires team plan.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to check"
+            }
+          },
+          "required": ["profile_id"]
+        }),
+      },
    ]
  }

@@ -777,6 +931,28 @@ impl McpServer {
      "connect_vpn" => self.handle_connect_vpn(&arguments).await,
      "disconnect_vpn" => self.handle_disconnect_vpn(&arguments).await,
      "get_vpn_status" => self.handle_get_vpn_status(&arguments).await,
+      // Fingerprint management
+      "get_profile_fingerprint" => self.handle_get_profile_fingerprint(&arguments).await,
+      "update_profile_fingerprint" => self.handle_update_profile_fingerprint(&arguments).await,
+      "update_profile_proxy_bypass_rules" => {
+        self
+          .handle_update_profile_proxy_bypass_rules(&arguments)
+          .await
+      }
+      // Extension management
+      "list_extensions" => self.handle_list_extensions().await,
+      "list_extension_groups" => self.handle_list_extension_groups().await,
+      "create_extension_group" => self.handle_create_extension_group(&arguments).await,
+      "delete_extension" => self.handle_delete_extension_mcp(&arguments).await,
+      "delete_extension_group" => self.handle_delete_extension_group_mcp(&arguments).await,
+      "assign_extension_group_to_profile" => {
+        self
+          .handle_assign_extension_group_to_profile(&arguments)
+          .await
+      }
+      // Team lock tools
+      "get_team_locks" => self.handle_get_team_locks().await,
+      "get_team_lock_status" => self.handle_get_team_lock_status(&arguments).await,
      _ => Err(McpError {
        code: -32602,
        message: format!("Unknown tool: {tool_name}"),
@@ -891,6 +1067,14 @@ impl McpServer {
      });
    }

+    // Team lock check
+    crate::team_lock::acquire_team_lock_if_needed(profile)
+      .await
+      .map_err(|e| McpError {
+        code: -32000,
+        message: e,
+      })?;
+
    // Get app handle to launch
    let inner = self.inner.lock().await;
    let app_handle = inner.app_handle.as_ref().ok_or_else(|| McpError {
@@ -972,6 +1156,8 @@ impl McpServer {
        message: format!("Failed to kill browser: {e}"),
      })?;

+    crate::team_lock::release_team_lock_if_needed(profile).await;
+
    Ok(serde_json::json!({
      "content": [{
        "type": "text",
@@ -1702,16 +1888,8 @@ impl McpServer {
        message: "Missing vpn_id".to_string(),
      })?;

-    // First disconnect if connected
-    {
-      let mut manager = crate::vpn::TUNNEL_MANAGER.lock().await;
-      if manager.is_tunnel_active(vpn_id) {
-        if let Some(tunnel) = manager.get_tunnel_mut(vpn_id) {
-          let _ = tunnel.disconnect().await;
-        }
-        manager.remove_tunnel(vpn_id);
-      }
-    }
+    // First disconnect if connected (stop VPN worker)
+    let _ = crate::vpn_worker_runner::stop_vpn_worker_by_vpn_id(vpn_id).await;

    let storage = crate::vpn::VPN_STORAGE.lock().map_err(|e| McpError {
      code: -32000,
@@ -1743,63 +1921,14 @@ impl McpServer {
        message: "Missing vpn_id".to_string(),
      })?;

-    // Load config from storage
-    let config = {
-      let storage = crate::vpn::VPN_STORAGE.lock().map_err(|e| McpError {
+    // Start VPN worker process
+    crate::vpn_worker_runner::start_vpn_worker(vpn_id)
+      .await
+      .map_err(|e| McpError {
        code: -32000,
-        message: format!("Failed to lock VPN storage: {e}"),
+        message: format!("Failed to connect VPN: {e}"),
      })?;

-      storage.load_config(vpn_id).map_err(|e| McpError {
-        code: -32000,
-        message: format!("Failed to load VPN config: {e}"),
-      })?
-    };
-
-    let mut manager = crate::vpn::TUNNEL_MANAGER.lock().await;
-
-    // Check if already connected
-    if manager.is_tunnel_active(vpn_id) {
-      return Ok(serde_json::json!({
-        "content": [{
-          "type": "text",
-          "text": format!("VPN '{}' is already connected", config.name)
-        }]
-      }));
-    }
-
-    let mut tunnel: Box<dyn crate::vpn::VpnTunnel> = match config.vpn_type {
-      crate::vpn::VpnType::WireGuard => {
-        let wg_config =
-          crate::vpn::parse_wireguard_config(&config.config_data).map_err(|e| McpError {
-            code: -32000,
-            message: format!("Invalid WireGuard config: {e}"),
-          })?;
-        Box::new(crate::vpn::WireGuardTunnel::new(
-          vpn_id.to_string(),
-          wg_config,
-        ))
-      }
-      crate::vpn::VpnType::OpenVPN => {
-        let ovpn_config =
-          crate::vpn::parse_openvpn_config(&config.config_data).map_err(|e| McpError {
-            code: -32000,
-            message: format!("Invalid OpenVPN config: {e}"),
-          })?;
-        Box::new(crate::vpn::OpenVpnTunnel::new(
-          vpn_id.to_string(),
-          ovpn_config,
-        ))
-      }
-    };
-
-    tunnel.connect().await.map_err(|e| McpError {
-      code: -32000,
-      message: format!("Failed to connect VPN: {e}"),
-    })?;
-
-    manager.register_tunnel(vpn_id.to_string(), tunnel);
-
    // Update last_used timestamp
    {
      let storage = crate::vpn::VPN_STORAGE.lock().map_err(|e| McpError {
@@ -1812,7 +1941,7 @@ impl McpServer {
    Ok(serde_json::json!({
      "content": [{
        "type": "text",
-        "text": format!("VPN '{}' connected successfully", config.name)
+        "text": format!("VPN '{}' connected successfully", vpn_id)
      }]
    }))
  }
@@ -1829,16 +1958,12 @@ impl McpServer {
        message: "Missing vpn_id".to_string(),
      })?;

-    let mut manager = crate::vpn::TUNNEL_MANAGER.lock().await;
-
-    if let Some(tunnel) = manager.get_tunnel_mut(vpn_id) {
-      tunnel.disconnect().await.map_err(|e| McpError {
+    crate::vpn_worker_runner::stop_vpn_worker_by_vpn_id(vpn_id)
+      .await
+      .map_err(|e| McpError {
        code: -32000,
        message: format!("Failed to disconnect VPN: {e}"),
      })?;
-    }
-
-    manager.remove_tunnel(vpn_id);

    Ok(serde_json::json!({
      "content": [{
@@ -1860,19 +1985,23 @@ impl McpServer {
        message: "Missing vpn_id".to_string(),
      })?;

-    let manager = crate::vpn::TUNNEL_MANAGER.lock().await;
+    let connected =
+      if let Some(worker) = crate::vpn_worker_storage::find_vpn_worker_by_vpn_id(vpn_id) {
+        worker
+          .pid
+          .map(crate::proxy_storage::is_process_running)
+          .unwrap_or(false)
+      } else {
+        false
+      };

-    let status = if let Some(tunnel) = manager.get_tunnel(vpn_id) {
-      tunnel.get_status()
-    } else {
-      crate::vpn::VpnStatus {
-        connected: false,
-        vpn_id: vpn_id.to_string(),
-        connected_at: None,
-        bytes_sent: None,
-        bytes_received: None,
-        last_handshake: None,
-      }
+    let status = crate::vpn::VpnStatus {
+      connected,
+      vpn_id: vpn_id.to_string(),
+      connected_at: None,
+      bytes_sent: None,
+      bytes_received: None,
+      last_handshake: None,
    };

    Ok(serde_json::json!({
@@ -1882,6 +2011,464 @@ impl McpServer {
      }]
    }))
  }
+
+  // Fingerprint management handlers
+  async fn handle_get_profile_fingerprint(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let profiles = ProfileManager::instance()
+      .list_profiles()
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to list profiles: {e}"),
+      })?;
+
+    let profile = profiles
+      .iter()
+      .find(|p| p.id.to_string() == profile_id)
+      .ok_or_else(|| McpError {
+        code: -32000,
+        message: format!("Profile not found: {profile_id}"),
+      })?;
+
+    let fingerprint_info = match profile.browser.as_str() {
+      "camoufox" => {
+        let config = profile
+          .camoufox_config
+          .as_ref()
+          .cloned()
+          .unwrap_or_default();
+        serde_json::json!({
+          "browser": "camoufox",
+          "fingerprint": config.fingerprint,
+          "os": config.os,
+          "randomize_fingerprint_on_launch": config.randomize_fingerprint_on_launch,
+          "screen_max_width": config.screen_max_width,
+          "screen_max_height": config.screen_max_height,
+          "screen_min_width": config.screen_min_width,
+          "screen_min_height": config.screen_min_height,
+        })
+      }
+      "wayfern" => {
+        let config = profile.wayfern_config.as_ref().cloned().unwrap_or_default();
+        serde_json::json!({
+          "browser": "wayfern",
+          "fingerprint": config.fingerprint,
+          "os": config.os,
+          "randomize_fingerprint_on_launch": config.randomize_fingerprint_on_launch,
+          "screen_max_width": config.screen_max_width,
+          "screen_max_height": config.screen_max_height,
+          "screen_min_width": config.screen_min_width,
+          "screen_min_height": config.screen_min_height,
+        })
+      }
+      _ => {
+        return Err(McpError {
+          code: -32000,
+          message: "MCP only supports Wayfern and Camoufox profiles".to_string(),
+        })
+      }
+    };
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&fingerprint_info).unwrap_or_default()
+      }]
+    }))
+  }
+
+  async fn handle_update_profile_fingerprint(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Fingerprint editing requires an active Pro subscription".to_string(),
+      });
+    }
+
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let fingerprint = arguments.get("fingerprint").and_then(|v| v.as_str());
+    let os = arguments.get("os").and_then(|v| v.as_str());
+    let randomize = arguments
+      .get("randomize_fingerprint_on_launch")
+      .and_then(|v| v.as_bool());
+
+    if let Some(os_val) = os {
+      if !CLOUD_AUTH.is_fingerprint_os_allowed(Some(os_val)).await {
+        return Err(McpError {
+          code: -32000,
+          message: format!(
+            "OS spoofing to '{}' requires an active Pro subscription",
+            os_val
+          ),
+        });
+      }
+    }
+
+    let profiles = ProfileManager::instance()
+      .list_profiles()
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to list profiles: {e}"),
+      })?;
+
+    let profile = profiles
+      .iter()
+      .find(|p| p.id.to_string() == profile_id)
+      .ok_or_else(|| McpError {
+        code: -32000,
+        message: format!("Profile not found: {profile_id}"),
+      })?;
+
+    let inner = self.inner.lock().await;
+    let app_handle = inner.app_handle.as_ref().ok_or_else(|| McpError {
+      code: -32000,
+      message: "MCP server not properly initialized".to_string(),
+    })?;
+
+    match profile.browser.as_str() {
+      "camoufox" => {
+        let mut config = profile
+          .camoufox_config
+          .as_ref()
+          .cloned()
+          .unwrap_or_default();
+        if let Some(fp) = fingerprint {
+          config.fingerprint = Some(fp.to_string());
+        }
+        if let Some(os_val) = os {
+          config.os = Some(os_val.to_string());
+        }
+        if let Some(r) = randomize {
+          config.randomize_fingerprint_on_launch = Some(r);
+        }
+        ProfileManager::instance()
+          .update_camoufox_config(app_handle.clone(), profile_id, config)
+          .await
+          .map_err(|e| McpError {
+            code: -32000,
+            message: format!("Failed to update camoufox config: {e}"),
+          })?;
+      }
+      "wayfern" => {
+        let mut config = profile.wayfern_config.as_ref().cloned().unwrap_or_default();
+        if let Some(fp) = fingerprint {
+          config.fingerprint = Some(fp.to_string());
+        }
+        if let Some(os_val) = os {
+          config.os = Some(os_val.to_string());
+        }
+        if let Some(r) = randomize {
+          config.randomize_fingerprint_on_launch = Some(r);
+        }
+        ProfileManager::instance()
+          .update_wayfern_config(app_handle.clone(), profile_id, config)
+          .await
+          .map_err(|e| McpError {
+            code: -32000,
+            message: format!("Failed to update wayfern config: {e}"),
+          })?;
+      }
+      _ => {
+        return Err(McpError {
+          code: -32000,
+          message: "MCP only supports Wayfern and Camoufox profiles".to_string(),
+        })
+      }
+    }
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": format!("Fingerprint configuration updated for profile '{}'", profile.name)
+      }]
+    }))
+  }
+
+  async fn handle_update_profile_proxy_bypass_rules(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let rules: Vec<String> = arguments
+      .get("rules")
+      .and_then(|v| v.as_array())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing rules array".to_string(),
+      })?
+      .iter()
+      .filter_map(|v| v.as_str().map(|s| s.to_string()))
+      .collect();
+
+    let inner = self.inner.lock().await;
+    let app_handle = inner.app_handle.as_ref().ok_or_else(|| McpError {
+      code: -32000,
+      message: "MCP server not properly initialized".to_string(),
+    })?;
+
+    let profile = ProfileManager::instance()
+      .update_profile_proxy_bypass_rules(app_handle, profile_id, rules.clone())
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update proxy bypass rules: {e}"),
+      })?;
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": format!(
+          "Proxy bypass rules updated for profile '{}': {} rule(s) configured",
+          profile.name,
+          rules.len()
+        )
+      }]
+    }))
+  }
+
+  async fn handle_list_extensions(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let extensions = mgr.list_extensions().map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to list extensions: {e}"),
+    })?;
+    Ok(serde_json::to_value(extensions).unwrap())
+  }
+
+  async fn handle_list_extension_groups(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let groups = mgr.list_groups().map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to list extension groups: {e}"),
+    })?;
+    Ok(serde_json::to_value(groups).unwrap())
+  }
+
+  async fn handle_create_extension_group(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let name = arguments
+      .get("name")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: name".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let group = mgr.create_group(name.to_string()).map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to create extension group: {e}"),
+    })?;
+    Ok(serde_json::to_value(group).unwrap())
+  }
+
+  async fn handle_delete_extension_mcp(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let extension_id = arguments
+      .get("extension_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: extension_id".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    mgr
+      .delete_extension_internal(extension_id)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to delete extension: {e}"),
+      })?;
+    Ok(serde_json::json!({"success": true}))
+  }
+
+  async fn handle_delete_extension_group_mcp(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let group_id = arguments
+      .get("group_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: group_id".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    // For MCP, we don't have an app_handle, but we need one for sync deletion.
+    // Use the delete_group_internal which skips sync remote deletion.
+    mgr.delete_group_internal(group_id).map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to delete extension group: {e}"),
+    })?;
+    if let Err(e) = crate::events::emit_empty("extensions-changed") {
+      log::error!("Failed to emit extensions-changed event: {e}");
+    }
+    Ok(serde_json::json!({"success": true}))
+  }
+
+  async fn handle_assign_extension_group_to_profile(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: profile_id".to_string(),
+      })?;
+    let extension_group_id = arguments
+      .get("extension_group_id")
+      .and_then(|v| v.as_str())
+      .map(|s| {
+        if s.is_empty() {
+          None
+        } else {
+          Some(s.to_string())
+        }
+      })
+      .unwrap_or(None);
+
+    // Validate compatibility if assigning
+    if let Some(ref gid) = extension_group_id {
+      let profile_manager = ProfileManager::instance();
+      let profiles = profile_manager.list_profiles().map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to list profiles: {e}"),
+      })?;
+      let profile = profiles
+        .iter()
+        .find(|p| p.id.to_string() == profile_id)
+        .ok_or_else(|| McpError {
+          code: -32000,
+          message: format!("Profile '{profile_id}' not found"),
+        })?;
+      let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      mgr
+        .validate_group_compatibility(gid, &profile.browser)
+        .map_err(|e| McpError {
+          code: -32000,
+          message: format!("{e}"),
+        })?;
+    }
+
+    let profile_manager = ProfileManager::instance();
+    let profile = profile_manager
+      .update_profile_extension_group(profile_id, extension_group_id)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to assign extension group: {e}"),
+      })?;
+    Ok(serde_json::to_value(profile).unwrap())
+  }
+
+  async fn handle_get_team_locks(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.is_on_team_plan().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Team features require an active team plan".to_string(),
+      });
+    }
+    let locks = crate::team_lock::TEAM_LOCK.get_locks().await;
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&locks).unwrap_or_default()
+      }]
+    }))
+  }
+
+  async fn handle_get_team_lock_status(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.is_on_team_plan().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Team features require an active team plan".to_string(),
+      });
+    }
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+    let lock_status = crate::team_lock::TEAM_LOCK
+      .get_lock_status(profile_id)
+      .await;
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&lock_status).unwrap_or_default()
+      }]
+    }))
+  }
 }

 lazy_static::lazy_static! {
@@ -1897,8 +2484,8 @@ mod tests {
    let server = McpServer::new();
    let tools = server.get_tools();

-    // Should have at least 24 tools (18 + 6 VPN tools)
-    assert!(tools.len() >= 24);
+    // Should have at least 34 tools (26 + 6 extension tools + 2 team lock tools)
+    assert!(tools.len() >= 34);

    // Check tool names
    let tool_names: Vec<&str> = tools.iter().map(|t| t.name.as_str()).collect();
@@ -1931,6 +2518,20 @@ mod tests {
    assert!(tool_names.contains(&"connect_vpn"));
    assert!(tool_names.contains(&"disconnect_vpn"));
    assert!(tool_names.contains(&"get_vpn_status"));
+    // Fingerprint tools
+    assert!(tool_names.contains(&"get_profile_fingerprint"));
+    assert!(tool_names.contains(&"update_profile_fingerprint"));
+    assert!(tool_names.contains(&"update_profile_proxy_bypass_rules"));
+    // Extension tools
+    assert!(tool_names.contains(&"list_extensions"));
+    assert!(tool_names.contains(&"list_extension_groups"));
+    assert!(tool_names.contains(&"create_extension_group"));
+    assert!(tool_names.contains(&"delete_extension"));
+    assert!(tool_names.contains(&"delete_extension_group"));
+    assert!(tool_names.contains(&"assign_extension_group_to_profile"));
+    // Team lock tools
+    assert!(tool_names.contains(&"get_team_locks"));
+    assert!(tool_names.contains(&"get_team_lock_status"));
  }

  #[test]
@@ -651,8 +651,11 @@ pub mod windows {
    use std::process::Command;

    // Try taskkill command as fallback
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
    let output = Command::new("taskkill")
      .args(["/F", "/PID", &pid.to_string()])
+      .creation_flags(CREATE_NO_WINDOW)
      .output();

    match output {
@@ -871,18 +874,158 @@ pub mod linux {

  pub async fn kill_browser_process_impl(
    pid: u32,
+    profile_data_path: Option<&str>,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    use sysinfo::{Pid, System};
-    let system = System::new_all();
-    if let Some(process) = system.process(Pid::from(pid as usize)) {
-      if !process.kill() {
-        return Err(format!("Failed to kill process {}", pid).into());
+    use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+
+    log::info!("Attempting to kill browser process with PID: {pid}");
+
+    let mut pids_to_kill = vec![pid];
+
+    // Find all descendant processes
+    let descendants = get_all_descendant_pids(pid);
+    pids_to_kill.extend(descendants);
+
+    // Find additional processes using the same profile path
+    if let Some(profile_path) = profile_data_path {
+      let additional_pids = find_processes_by_profile_path(profile_path);
+      for p in additional_pids {
+        if !pids_to_kill.contains(&p) {
+          log::info!("Found additional process {} using profile path", p);
+          pids_to_kill.push(p);
+        }
      }
-    } else {
-      return Err(format!("Process {} not found", pid).into());
    }

-    log::info!("Successfully killed browser process with PID: {pid}");
+    log::info!("Total processes to kill: {:?}", pids_to_kill);
+
+    // Send SIGKILL to all identified processes
+    for &p in &pids_to_kill {
+      log::info!("Sending SIGKILL to PID: {p}");
+      let _ = Command::new("kill")
+        .args(["-KILL", &p.to_string()])
+        .output();
+    }
+
+    // Also kill by process group and parent PID
+    let pid_str = pid.to_string();
+    let _ = Command::new("pkill")
+      .args(["-KILL", "-P", &pid_str])
+      .output();
+
+    tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+
+    // Verify processes are dead
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut still_running = Vec::new();
+    for &p in &pids_to_kill {
+      if system.process(Pid::from(p as usize)).is_some() {
+        still_running.push(p);
+      }
+    }
+
+    if !still_running.is_empty() {
+      log::info!(
+        "Processes {:?} still running, trying final termination",
+        still_running
+      );
+
+      for p in &still_running {
+        let _ = Command::new("kill")
+          .args(["-KILL", &p.to_string()])
+          .output();
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(1000)).await;
+
+      let system = System::new_with_specifics(
+        RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+      );
+      let mut final_still_running = Vec::new();
+      for &p in &pids_to_kill {
+        if system.process(Pid::from(p as usize)).is_some() {
+          final_still_running.push(p);
+        }
+      }
+
+      if !final_still_running.is_empty() {
+        log::error!(
+          "ERROR: Processes {:?} could not be terminated despite aggressive attempts",
+          final_still_running
+        );
+        return Err(
+          format!(
+            "Failed to terminate browser processes {:?} - still running",
+            final_still_running
+          )
+          .into(),
+        );
+      }
+    }
+
+    log::info!("Browser termination completed for PID: {pid}");
    Ok(())
  }
+
+  fn find_processes_by_profile_path(profile_path: &str) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let mut pids = Vec::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+
+    for (pid, process) in system.processes() {
+      let cmd = process.cmd();
+      if cmd.is_empty() {
+        continue;
+      }
+
+      let has_profile = cmd.iter().any(|arg| {
+        if let Some(arg_str) = arg.to_str() {
+          arg_str.contains(profile_path)
+        } else {
+          false
+        }
+      });
+
+      if has_profile {
+        pids.push(pid.as_u32());
+      }
+    }
+
+    pids
+  }
+
+  fn get_all_descendant_pids(parent_pid: u32) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut descendants = Vec::new();
+    let mut to_check = vec![parent_pid];
+    let mut checked = std::collections::HashSet::new();
+
+    while let Some(current_pid) = to_check.pop() {
+      if checked.contains(&current_pid) {
+        continue;
+      }
+      checked.insert(current_pid);
+
+      for (pid, process) in system.processes() {
+        let pid_u32 = pid.as_u32();
+        if let Some(parent) = process.parent() {
+          if parent.as_u32() == current_pid && !checked.contains(&pid_u32) {
+            descendants.push(pid_u32);
+            to_check.push(pid_u32);
+          }
+        }
+      }
+    }
+
+    descendants
+  }
 }
@@ -1,18 +1,17 @@
 use crate::api_client::is_browser_version_nightly;
 use crate::browser::{create_browser, BrowserType, ProxySettings};
 use crate::camoufox_manager::CamoufoxConfig;
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
 use crate::events;
-use crate::profile::types::BrowserProfile;
+use crate::profile::types::{get_host_os, BrowserProfile, SyncMode};
 use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::WayfernConfig;
-use directories::BaseDirs;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
-use sysinfo::{Pid, System};
+use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};

 pub struct ProfileManager {
-  base_dirs: BaseDirs,
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
  wayfern_manager: &'static crate::wayfern_manager::WayfernManager,
 }
@@ -20,7 +19,6 @@ pub struct ProfileManager {
 impl ProfileManager {
  fn new() -> Self {
    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      camoufox_manager: crate::camoufox_manager::CamoufoxManager::instance(),
      wayfern_manager: crate::wayfern_manager::WayfernManager::instance(),
    }
@@ -31,25 +29,11 @@ impl ProfileManager {
  }

  pub fn get_profiles_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("profiles");
-    path
+    crate::app_dirs::profiles_dir()
  }

  pub fn get_binaries_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("binaries");
-    path
+    crate::app_dirs::binaries_dir()
  }

  #[allow(clippy::too_many_arguments)]
@@ -61,10 +45,24 @@ impl ProfileManager {
    version: &str,
    release_type: &str,
    proxy_id: Option<String>,
+    vpn_id: Option<String>,
    camoufox_config: Option<CamoufoxConfig>,
    wayfern_config: Option<WayfernConfig>,
    group_id: Option<String>,
+    ephemeral: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    if proxy_id.is_some() && vpn_id.is_some() {
+      return Err("Cannot set both proxy_id and vpn_id".into());
+    }
+
+    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
+    if let Some(ref pid) = proxy_id {
+      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
+        log::info!("Syncing cloud proxy credentials before profile creation");
+        CLOUD_AUTH.sync_cloud_proxy().await;
+      }
+    }
+
    log::info!("Attempting to create profile: {name}");

    // Check if a profile with this name already exists (case insensitive)
@@ -85,7 +83,9 @@ impl ProfileManager {

    // Create profile directory with UUID and profile subdirectory
    create_dir_all(&profile_uuid_dir)?;
-    create_dir_all(&profile_data_dir)?;
+    if !ephemeral {
+      create_dir_all(&profile_data_dir)?;
+    }

    // For Camoufox profiles, generate fingerprint during creation
    let final_camoufox_config = if browser == "camoufox" {
@@ -163,6 +163,7 @@ impl ProfileManager {
          browser: browser.to_string(),
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
+          vpn_id: None,
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -171,8 +172,15 @@ impl ProfileManager {
          group_id: group_id.clone(),
          tags: Vec::new(),
          note: None,
-          sync_enabled: false,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -276,6 +284,7 @@ impl ProfileManager {
          browser: browser.to_string(),
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
+          vpn_id: None,
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -284,8 +293,15 @@ impl ProfileManager {
          group_id: group_id.clone(),
          tags: Vec::new(),
          note: None,
-          sync_enabled: false,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -321,6 +337,7 @@ impl ProfileManager {
      browser: browser.to_string(),
      version: version.to_string(),
      proxy_id: proxy_id.clone(),
+      vpn_id: vpn_id.clone(),
      process_id: None,
      last_launch: None,
      release_type: release_type.to_string(),
@@ -329,8 +346,15 @@ impl ProfileManager {
      group_id: group_id.clone(),
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: Some(get_host_os()),
+      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

    // Save profile info
@@ -344,16 +368,19 @@ impl ProfileManager {
    log::info!("Profile '{name}' created successfully with ID: {profile_id}");

    // Create user.js with common Firefox preferences and apply proxy settings if provided
-    if let Some(proxy_id_ref) = &proxy_id {
-      if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
-        self.apply_proxy_settings_to_profile(&profile_data_dir, &proxy_settings, None)?;
+    // Skip for ephemeral profiles since the data dir is created at launch time
+    if !ephemeral {
+      if let Some(proxy_id_ref) = &proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
+          self.apply_proxy_settings_to_profile(&profile_data_dir, &proxy_settings, None)?;
+        } else {
+          // Proxy ID provided but not found, disable proxy
+          self.disable_proxy_settings_in_profile(&profile_data_dir)?;
+        }
      } else {
-        // Proxy ID provided but not found, disable proxy
+        // Create user.js with common Firefox preferences but no proxy
        self.disable_proxy_settings_in_profile(&profile_data_dir)?;
      }
-    } else {
-      // Create user.js with common Firefox preferences but no proxy
-      self.disable_proxy_settings_in_profile(&profile_data_dir)?;
    }

    // Emit profile creation event
@@ -466,15 +493,15 @@ impl ProfileManager {
      .find(|p| p.id == profile_uuid)
      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;

-    // Check if browser is running
-    if profile.process_id.is_some() {
+    // Check if browser is running (cross-OS profiles can't be running locally)
+    if profile.process_id.is_some() && !profile.is_cross_os() {
      return Err(
        "Cannot delete profile while browser is running. Please stop the browser first.".into(),
      );
    }

-    // Remember sync_enabled before deleting local files
-    let was_sync_enabled = profile.sync_enabled;
+    // Remember sync mode before deleting local files
+    let was_sync_enabled = profile.is_sync_enabled();

    let profiles_dir = self.get_profiles_dir();
    let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
@@ -620,7 +647,7 @@ impl ProfileManager {
      self.save_profile(&profile)?;

      // Auto-enable sync for new group if profile has sync enabled
-      if profile.sync_enabled {
+      if profile.is_sync_enabled() {
        if let Some(ref new_group_id) = group_id {
          let group_id_clone = new_group_id.clone();
          let app_handle_clone = app_handle.clone();
@@ -717,6 +744,31 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_proxy_bypass_rules(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    rules: Vec<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.proxy_bypass_rules = rules;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -733,8 +785,8 @@ impl ProfileManager {
        .find(|p| p.id == profile_uuid)
        .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;

-      // Check if browser is running
-      if profile.process_id.is_some() {
+      // Check if browser is running (cross-OS profiles can't be running locally)
+      if profile.process_id.is_some() && !profile.is_cross_os() {
        return Err(
          format!(
            "Cannot delete profile '{}' while browser is running. Please stop the browser first.",
@@ -745,7 +797,7 @@ impl ProfileManager {
      }

      // Track sync-enabled profiles for remote deletion
-      if profile.sync_enabled {
+      if profile.is_sync_enabled() {
        sync_enabled_ids.push(profile_id.clone());
      }

@@ -803,6 +855,7 @@ impl ProfileManager {
  pub fn clone_profile(
    &self,
    profile_id: &str,
+    custom_name: Option<String>,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
    let profile_uuid =
      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
@@ -819,7 +872,10 @@ impl ProfileManager {
    }

    let new_id = uuid::Uuid::new_v4();
-    let clone_name = self.generate_clone_name(&source.name)?;
+    let clone_name = match custom_name {
+      Some(name) if !name.trim().is_empty() => name.trim().to_string(),
+      _ => self.generate_clone_name(&source.name)?,
+    };

    let profiles_dir = self.get_profiles_dir();
    let source_dir = profiles_dir.join(source.id.to_string());
@@ -837,6 +893,7 @@ impl ProfileManager {
      browser: source.browser,
      version: source.version,
      proxy_id: source.proxy_id,
+      vpn_id: source.vpn_id,
      process_id: None,
      last_launch: None,
      release_type: source.release_type,
@@ -845,8 +902,15 @@ impl ProfileManager {
      group_id: source.group_id,
      tags: source.tags,
      note: source.note,
-      sync_enabled: false,
+      sync_mode: SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: Some(get_host_os()),
+      ephemeral: false,
+      extension_group_id: source.extension_group_id,
+      proxy_bypass_rules: source.proxy_bypass_rules,
+      created_by_id: None,
+      created_by_email: None,
    };

    self.save_profile(&new_profile)?;
@@ -1007,8 +1071,9 @@ impl ProfileManager {
    // Remember old proxy_id for cleanup (not used yet, but may be needed for cleanup)
    let _old_proxy_id = profile.proxy_id.clone();

-    // Update proxy settings
+    // Update proxy settings and clear VPN (mutual exclusion)
    profile.proxy_id = proxy_id.clone();
+    profile.vpn_id = None;

    // Save the updated profile
    self
@@ -1018,7 +1083,7 @@ impl ProfileManager {
      })?;

    // Auto-enable sync for new proxy if profile has sync enabled
-    if profile.sync_enabled {
+    if profile.is_sync_enabled() {
      if let Some(ref new_proxy_id) = proxy_id {
        let _ = crate::sync::enable_proxy_sync_if_needed(new_proxy_id, &app_handle).await;
        if let Some(scheduler) = crate::sync::get_global_scheduler() {
@@ -1071,6 +1136,78 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub async fn update_profile_vpn(
+    &self,
+    _app_handle: tauri::AppHandle,
+    profile_id: &str,
+    vpn_id: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
+    let profile_uuid = uuid::Uuid::parse_str(profile_id).map_err(
+      |_| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Invalid profile ID: {profile_id}").into()
+      },
+    )?;
+    let profiles =
+      self
+        .list_profiles()
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+          format!("Failed to list profiles: {e}").into()
+        })?;
+
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Profile with ID '{profile_id}' not found").into()
+      })?;
+
+    // Update VPN and clear proxy (mutual exclusion)
+    profile.vpn_id = vpn_id;
+    profile.proxy_id = None;
+
+    self
+      .save_profile(&profile)
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Failed to save profile: {e}").into()
+      })?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Warning: Failed to emit profile update event: {e}");
+    }
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
+  pub fn update_profile_extension_group(
+    &self,
+    profile_id: &str,
+    extension_group_id: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.extension_group_id = extension_group_id;
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Failed to emit profile update event: {e}");
+    }
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub async fn check_browser_status(
    &self,
    app_handle: tauri::AppHandle,
@@ -1088,7 +1225,9 @@ impl ProfileManager {

    // For non-camoufox browsers, use the existing PID-based logic
    let inner_profile = profile.clone();
-    let mut system = System::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
    let mut is_running = false;
    let mut found_pid: Option<u32> = None;

@@ -1130,8 +1269,6 @@ impl ProfileManager {

    // If we didn't find the browser with the stored PID, search all processes
    if !is_running {
-      // Refresh all processes only when we need to search (expensive but necessary)
-      system.refresh_all();
      for (pid, process) in system.processes() {
        let cmd = process.cmd();
        if cmd.len() >= 2 {
@@ -1248,7 +1385,8 @@ impl ProfileManager {
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
    let launcher = self.camoufox_manager;
    let profiles_dir = self.get_profiles_dir();
-    let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_data_path =
+      crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
    let profile_path_str = profile_data_path.to_string_lossy();

    // Check if there's a running Camoufox instance for this profile
@@ -1292,6 +1430,10 @@ impl ProfileManager {
      }
      Ok(None) => {
        // No running instance found, clear process ID if set and stop proxy
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1322,6 +1464,10 @@ impl ProfileManager {
      Err(e) => {
        // Error checking status, assume not running and clear process ID
        log::warn!("Warning: Failed to check Camoufox status: {e}");
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1363,7 +1509,8 @@ impl ProfileManager {
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
    let manager = self.wayfern_manager;
    let profiles_dir = self.get_profiles_dir();
-    let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_data_path =
+      crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
    let profile_path_str = profile_data_path.to_string_lossy();

    // Check if there's a running Wayfern instance for this profile
@@ -1407,6 +1554,10 @@ impl ProfileManager {
      }
      None => {
        // No running instance found, clear process ID if set
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1451,9 +1602,10 @@ impl ProfileManager {
      "user_pref(\"startup.homepage_welcome_url\", \"\");".to_string(),
      "user_pref(\"startup.homepage_welcome_url.additional\", \"\");".to_string(),
      "user_pref(\"startup.homepage_override_url\", \"\");".to_string(),
-      // Keep extension updates enabled
+      // Keep extension updates enabled and allow sideloaded extensions
      "user_pref(\"extensions.update.enabled\", true);".to_string(),
      "user_pref(\"extensions.update.autoUpdateDefault\", true);".to_string(),
+      "user_pref(\"extensions.autoDisableScopes\", 0);".to_string(),
      // Completely disable browser update checking
      "user_pref(\"app.update.enabled\", false);".to_string(),
      "user_pref(\"app.update.auto\", false);".to_string(),
@@ -1623,9 +1775,11 @@ impl ProfileManager {
    let pac_content = "function FindProxyForURL(url, host) { return 'DIRECT'; }";
    let pac_path = uuid_dir.join("proxy.pac");
    fs::write(&pac_path, pac_content)?;
+    let pac_url =
+      url::Url::from_file_path(&pac_path).map_err(|_| "Failed to convert PAC path to file URL")?;
    preferences.push(format!(
-      "user_pref(\"network.proxy.autoconfig_url\", \"file://{}\");",
-      pac_path.to_string_lossy()
+      "user_pref(\"network.proxy.autoconfig_url\", \"{}\");",
+      pac_url.as_str()
    ));

    fs::write(user_js_path, preferences.join("\n"))?;
@@ -1784,6 +1938,33 @@ mod tests {
      "Should set SSL proxy port"
    );
  }
+
+  #[test]
+  fn test_pac_url_encodes_spaces_in_path() {
+    let (manager, temp_dir) = create_test_profile_manager();
+
+    let uuid_dir = temp_dir.path().join("path with spaces");
+    let profile_dir = uuid_dir.join("profile");
+    fs::create_dir_all(&profile_dir).expect("Should create profile directory");
+
+    let result = manager.disable_proxy_settings_in_profile(&profile_dir);
+    assert!(result.is_ok(), "Should handle paths with spaces");
+
+    let user_js = fs::read_to_string(profile_dir.join("user.js")).unwrap();
+    let pac_line = user_js
+      .lines()
+      .find(|l| l.contains("autoconfig_url"))
+      .expect("Should have autoconfig_url preference");
+
+    assert!(
+      !pac_line.contains("path with spaces"),
+      "PAC URL should not contain raw spaces: {pac_line}"
+    );
+    assert!(
+      pac_line.contains("path%20with%20spaces"),
+      "PAC URL should percent-encode spaces: {pac_line}"
+    );
+  }
 }

 #[allow(clippy::too_many_arguments)]
@@ -1795,9 +1976,11 @@ pub async fn create_browser_profile_with_group(
  version: String,
  release_type: String,
  proxy_id: Option<String>,
+  vpn_id: Option<String>,
  camoufox_config: Option<CamoufoxConfig>,
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
+  ephemeral: bool,
 ) -> Result<BrowserProfile, String> {
  let profile_manager = ProfileManager::instance();
  profile_manager
@@ -1808,9 +1991,11 @@ pub async fn create_browser_profile_with_group(
      &version,
      &release_type,
      proxy_id,
+      vpn_id,
      camoufox_config,
      wayfern_config,
      group_id,
+      ephemeral,
    )
    .await
    .map_err(|e| format!("Failed to create profile: {e}"))
@@ -1837,6 +2022,19 @@ pub async fn update_profile_proxy(
    .map_err(|e| format!("Failed to update profile: {e}"))
 }

+#[tauri::command]
+pub async fn update_profile_vpn(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  vpn_id: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_vpn(app_handle, &profile_id, vpn_id)
+    .await
+    .map_err(|e| format!("Failed to update profile VPN: {e}"))
+}
+
 #[tauri::command]
 pub fn update_profile_tags(
  app_handle: tauri::AppHandle,
@@ -1861,6 +2059,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_proxy_bypass_rules(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  rules: Vec<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_proxy_bypass_rules(&app_handle, &profile_id, rules)
+    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -1894,10 +2104,24 @@ pub async fn create_browser_profile_new(
  version: String,
  release_type: String,
  proxy_id: Option<String>,
+  vpn_id: Option<String>,
  camoufox_config: Option<CamoufoxConfig>,
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
+  ephemeral: Option<bool>,
 ) -> Result<BrowserProfile, String> {
+  let fingerprint_os = camoufox_config
+    .as_ref()
+    .and_then(|c| c.os.as_deref())
+    .or_else(|| wayfern_config.as_ref().and_then(|c| c.os.as_deref()));
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(fingerprint_os)
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let browser_type =
    BrowserType::from_str(&browser_str).map_err(|e| format!("Invalid browser type: {e}"))?;
  create_browser_profile_with_group(
@@ -1907,9 +2131,11 @@ pub async fn create_browser_profile_new(
    version,
    release_type,
    proxy_id,
+    vpn_id,
    camoufox_config,
    wayfern_config,
    group_id,
+    ephemeral.unwrap_or(false),
  )
  .await
 }
@@ -1920,6 +2146,21 @@ pub async fn update_camoufox_config(
  profile_id: String,
  config: CamoufoxConfig,
 ) -> Result<(), String> {
+  if config.fingerprint.is_some()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .has_active_paid_subscription()
+      .await
+  {
+    return Err("Fingerprint editing requires an active Pro subscription".to_string());
+  }
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(config.os.as_deref())
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let profile_manager = ProfileManager::instance();
  profile_manager
    .update_camoufox_config(app_handle, &profile_id, config)
@@ -1933,6 +2174,21 @@ pub async fn update_wayfern_config(
  profile_id: String,
  config: WayfernConfig,
 ) -> Result<(), String> {
+  if config.fingerprint.is_some()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .has_active_paid_subscription()
+      .await
+  {
+    return Err("Fingerprint editing requires an active Pro subscription".to_string());
+  }
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(config.os.as_deref())
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let profile_manager = ProfileManager::instance();
  profile_manager
    .update_wayfern_config(app_handle, &profile_id, config)
@@ -1941,9 +2197,9 @@ pub async fn update_wayfern_config(
 }

 #[tauri::command]
-pub fn clone_profile(profile_id: String) -> Result<BrowserProfile, String> {
+pub fn clone_profile(profile_id: String, name: Option<String>) -> Result<BrowserProfile, String> {
  ProfileManager::instance()
-    .clone_profile(&profile_id)
+    .clone_profile(&profile_id, name)
    .map_err(|e| format!("Failed to clone profile: {e}"))
 }

@@ -13,6 +13,14 @@ pub enum SyncStatus {
  Error,
 }

+#[derive(Debug, Serialize, Deserialize, Clone, Copy, PartialEq, Eq, Default)]
+pub enum SyncMode {
+  #[default]
+  Disabled,
+  Regular,
+  Encrypted,
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct BrowserProfile {
  pub id: uuid::Uuid,
@@ -22,6 +30,8 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub proxy_id: Option<String>, // Reference to stored proxy
  #[serde(default)]
+  pub vpn_id: Option<String>, // Reference to stored VPN config
+  #[serde(default)]
  pub process_id: Option<u32>,
  #[serde(default)]
  pub last_launch: Option<u64>,
@@ -38,18 +48,61 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub note: Option<String>, // User note
  #[serde(default)]
-  pub sync_enabled: bool, // Whether sync is enabled for this profile
+  pub sync_mode: SyncMode,
+  #[serde(default)]
+  pub encryption_salt: Option<String>,
  #[serde(default)]
  pub last_sync: Option<u64>, // Timestamp of last successful sync (epoch seconds)
+  #[serde(default)]
+  pub host_os: Option<String>, // OS where profile was created ("macos", "windows", "linux")
+  #[serde(default)]
+  pub ephemeral: bool,
+  #[serde(default)]
+  pub extension_group_id: Option<String>,
+  #[serde(default)]
+  pub proxy_bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub created_by_id: Option<String>,
+  #[serde(default)]
+  pub created_by_email: Option<String>,
 }

 pub fn default_release_type() -> String {
  "stable".to_string()
 }

+pub fn get_host_os() -> String {
+  if cfg!(target_os = "macos") {
+    "macos".to_string()
+  } else if cfg!(target_os = "windows") {
+    "windows".to_string()
+  } else {
+    "linux".to_string()
+  }
+}
+
 impl BrowserProfile {
  /// Get the path to the profile data directory (profiles/{uuid}/profile)
  pub fn get_profile_data_path(&self, profiles_dir: &Path) -> PathBuf {
    profiles_dir.join(self.id.to_string()).join("profile")
  }
+
+  /// Returns true when the profile was created on a different OS than the current host.
+  /// Profiles without an `os` field (backward compat) are treated as native.
+  pub fn is_cross_os(&self) -> bool {
+    match &self.host_os {
+      Some(host_os) => host_os != &get_host_os(),
+      None => false,
+    }
+  }
+
+  /// Returns true if sync is enabled (either Regular or Encrypted mode).
+  pub fn is_sync_enabled(&self) -> bool {
+    self.sync_mode != SyncMode::Disabled
+  }
+
+  /// Returns true if sync uses E2E encryption.
+  pub fn is_encrypted_sync(&self) -> bool {
+    self.sync_mode == SyncMode::Encrypted
+  }
 }
@@ -545,6 +545,7 @@ impl ProfileImporter {
      browser: browser_type.to_string(),
      version: available_versions,
      proxy_id: None,
+      vpn_id: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -553,8 +554,15 @@ impl ProfileImporter {
      group_id: None,
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: Some(crate::profile::types::get_host_os()),
+      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

    // Save the profile metadata
@@ -1,5 +1,4 @@
 use chrono::Utc;
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::collections::HashMap;
@@ -117,11 +116,12 @@ pub struct StoredProxy {

 impl StoredProxy {
  pub fn new(name: String, proxy_settings: ProxySettings) -> Self {
+    let sync_enabled = crate::sync::is_sync_configured();
    Self {
      id: uuid::Uuid::new_v4().to_string(),
      name,
      proxy_settings,
-      sync_enabled: false,
+      sync_enabled,
      last_sync: None,
      is_cloud_managed: false,
      is_cloud_derived: false,
@@ -148,18 +148,15 @@ pub struct ProxyManager {
  // Track active proxy IDs by profile name for targeted cleanup
  profile_active_proxy_ids: Mutex<HashMap<String, String>>, // Maps profile name to proxy id
  stored_proxies: Mutex<HashMap<String, StoredProxy>>,      // Maps proxy ID to stored proxy
-  base_dirs: BaseDirs,
 }

 impl ProxyManager {
  pub fn new() -> Self {
-    let base_dirs = BaseDirs::new().expect("Failed to get base directories");
    let manager = Self {
      active_proxies: Mutex::new(HashMap::new()),
      profile_proxies: Mutex::new(HashMap::new()),
      profile_active_proxy_ids: Mutex::new(HashMap::new()),
      stored_proxies: Mutex::new(HashMap::new()),
-      base_dirs,
    };

    // Load stored proxies on initialization
@@ -170,27 +167,12 @@ impl ProxyManager {
    manager
  }

-  // Get the path to the proxies directory
  fn get_proxies_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("proxies");
-    path
+    crate::app_dirs::proxies_dir()
  }

-  // Get the path to the proxy check cache directory
  fn get_proxy_check_cache_dir(&self) -> Result<PathBuf, Box<dyn std::error::Error>> {
-    let mut path = self.base_dirs.cache_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("proxy_checks");
+    let path = crate::app_dirs::cache_dir().join("proxy_checks");
    fs::create_dir_all(&path)?;
    Ok(path)
  }
@@ -243,8 +225,7 @@ impl ProxyManager {
      .as_secs()
  }

-  // Get geolocation for an IP address
-  async fn get_ip_geolocation(
+  pub async fn get_ip_geolocation(
    ip: &str,
  ) -> Result<(Option<String>, Option<String>, Option<String>), String> {
    // Use ip-api.com (free, no API key required)
@@ -409,6 +390,15 @@ impl ProxyManager {
      log::error!("Failed to emit proxies-changed event: {e}");
    }

+    if stored_proxy.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = stored_proxy.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_proxy_sync(id).await;
+        });
+      }
+    }
+
    Ok(stored_proxy)
  }

@@ -478,15 +468,16 @@ impl ProxyManager {
  }

  // Build a geo-targeted username from base username and location parts
+  // LP format: username-zone-lightning-region-{country}-st-{state}-city-{city}
  fn build_geo_username(
    base_username: &str,
    country: &str,
    state: &Option<String>,
    city: &Option<String>,
  ) -> String {
-    let mut username = format!("{}-country-{}", base_username, country);
+    let mut username = format!("{}-zone-lightning-region-{}", base_username, country);
    if let Some(state) = state {
-      username = format!("{}-state-{}", username, state);
+      username = format!("{}-st-{}", username, state);
    }
    if let Some(city) = city {
      username = format!("{}-city-{}", username, city);
@@ -626,6 +617,11 @@ impl ProxyManager {
    }
  }

+  pub fn remove_from_memory(&self, proxy_id: &str) {
+    let mut stored_proxies = self.stored_proxies.lock().unwrap();
+    stored_proxies.remove(proxy_id);
+  }
+
  // Get all stored proxies
  pub fn get_stored_proxies(&self) -> Vec<StoredProxy> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -698,6 +694,15 @@ impl ProxyManager {
      log::error!("Failed to emit proxies-changed event: {e}");
    }

+    if updated_proxy.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = updated_proxy.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_proxy_sync(id).await;
+        });
+      }
+    }
+
    Ok(updated_proxy)
  }

@@ -764,6 +769,14 @@ impl ProxyManager {
    Ok(())
  }

+  // Check if a proxy is cloud-managed or cloud-derived (needs fresh credentials)
+  pub fn is_cloud_or_derived(&self, proxy_id: &str) -> bool {
+    let stored_proxies = self.stored_proxies.lock().unwrap();
+    stored_proxies
+      .get(proxy_id)
+      .is_some_and(|p| p.is_cloud_managed || p.is_cloud_derived)
+  }
+
  // Get proxy settings for a stored proxy ID
  pub fn get_proxy_settings_by_id(&self, proxy_id: &str) -> Option<ProxySettings> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -1179,6 +1192,7 @@ impl ProxyManager {
    proxy_settings: Option<&ProxySettings>,
    browser_pid: u32,
    profile_id: Option<&str>,
+    bypass_rules: Vec<String>,
  ) -> Result<ProxySettings, String> {
    if let Some(name) = profile_id {
      // Check if we have an active proxy recorded for this profile
@@ -1299,6 +1313,13 @@ impl ProxyManager {
      proxy_cmd = proxy_cmd.arg("--profile-id").arg(id);
    }

+    // Add bypass rules if any
+    if !bypass_rules.is_empty() {
+      let rules_json = serde_json::to_string(&bypass_rules)
+        .map_err(|e| format!("Failed to serialize bypass rules: {e}"))?;
+      proxy_cmd = proxy_cmd.arg("--bypass-rules").arg(rules_json);
+    }
+
    // Execute the command and wait for it to complete
    // The donut-proxy binary should start the worker and then exit
    let output = proxy_cmd
@@ -1625,6 +1646,27 @@ impl ProxyManager {
      delete_proxy_config(&config.id);
    }

+    // Clean up orphaned VPN worker configs where the worker process is dead
+    {
+      use crate::proxy_storage::is_process_running;
+      use crate::vpn_worker_storage::{delete_vpn_worker_config, list_vpn_worker_configs};
+
+      let vpn_workers = list_vpn_worker_configs();
+      for worker in vpn_workers {
+        if let Some(pid) = worker.pid {
+          if !is_process_running(pid) {
+            log::info!(
+              "Cleaning up orphaned VPN worker config: {} (process PID {} is dead)",
+              worker.id,
+              pid
+            );
+            let _ = std::fs::remove_file(&worker.config_file_path);
+            delete_vpn_worker_config(&worker.id);
+          }
+        }
+      }
+    }
+
    // Emit event for reactive UI updates
    if let Err(e) = events::emit_empty("proxies-changed") {
      log::error!("Failed to emit proxies-changed event: {e}");
@@ -12,13 +12,14 @@ pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
 }

 pub async fn start_proxy_process_with_profile(
  upstream_url: Option<String>,
  port: Option<u16>,
  profile_id: Option<String>,
+  bypass_rules: Vec<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -30,8 +31,9 @@ pub async fn start_proxy_process_with_profile(
    listener.local_addr().unwrap().port()
  });

-  let config =
-    ProxyConfig::new(id.clone(), upstream, Some(local_port)).with_profile_id(profile_id.clone());
+  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
+    .with_profile_id(profile_id.clone())
+    .with_bypass_rules(bypass_rules);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -254,9 +256,12 @@ pub async fn stop_proxy_process(id: &str) -> Result<bool, Box<dyn std::error::Er
      }
      #[cfg(windows)]
      {
+        use std::os::windows::process::CommandExt;
        use std::process::Command;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
        let _ = Command::new("taskkill")
          .args(["/F", "/PID", &pid.to_string()])
+          .creation_flags(CREATE_NO_WINDOW)
          .output();
      }

@@ -6,6 +6,7 @@ use hyper::server::conn::http1;
 use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
+use regex_lite::Regex;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -18,6 +19,38 @@ use tokio::net::TcpListener;
 use tokio::net::TcpStream;
 use url::Url;

+enum CompiledRule {
+  Regex(Regex),
+  Exact(String),
+}
+
+#[derive(Clone)]
+pub struct BypassMatcher {
+  rules: Arc<Vec<CompiledRule>>,
+}
+
+impl BypassMatcher {
+  pub fn new(rules: &[String]) -> Self {
+    let compiled = rules
+      .iter()
+      .map(|rule| match Regex::new(rule) {
+        Ok(re) => CompiledRule::Regex(re),
+        Err(_) => CompiledRule::Exact(rule.clone()),
+      })
+      .collect();
+    Self {
+      rules: Arc::new(compiled),
+    }
+  }
+
+  pub fn should_bypass(&self, host: &str) -> bool {
+    self.rules.iter().any(|rule| match rule {
+      CompiledRule::Regex(re) => re.is_match(host),
+      CompiledRule::Exact(exact) => host == exact,
+    })
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -133,19 +166,21 @@ impl AsyncWrite for PrependReader {
 async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url).await;
+    return handle_connect(req, upstream_url, bypass_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url).await
+  handle_http(req, upstream_url, bypass_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -161,12 +196,13 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

-    // If no upstream proxy, connect directly
+    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
        .as_ref()
        .map(|s| s == "DIRECT")
        .unwrap_or(false)
+      || bypass_matcher.should_bypass(target_host)
    {
      match TcpStream::connect(&target_addr).await {
        Ok(_stream) => {
@@ -674,6 +710,7 @@ async fn handle_http_via_socks4(
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -689,13 +726,17 @@ async fn handle_http(
    req.uri().host()
  );

+  let should_bypass = bypass_matcher.should_bypass(&domain);
+
  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
-  if let Some(ref upstream) = upstream_url {
-    if upstream != "DIRECT" {
-      if let Ok(url) = Url::parse(upstream) {
-        if url.scheme() == "socks4" {
-          // Handle SOCKS4 manually for HTTP requests
-          return handle_http_via_socks4(req, upstream).await;
+  if !should_bypass {
+    if let Some(ref upstream) = upstream_url {
+      if upstream != "DIRECT" {
+        if let Ok(url) = Url::parse(upstream) {
+          if url.scheme() == "socks4" {
+            // Handle SOCKS4 manually for HTTP requests
+            return handle_http_via_socks4(req, upstream).await;
+          }
        }
      }
    }
@@ -705,7 +746,9 @@ async fn handle_http(
  use reqwest::Client;

  let client_builder = Client::builder();
-  let client = if let Some(ref upstream) = upstream_url {
+  let client = if should_bypass {
+    client_builder.build().unwrap_or_default()
+  } else if let Some(ref upstream) = upstream_url {
    if upstream == "DIRECT" {
      client_builder.build().unwrap_or_default()
    } else {
@@ -1003,6 +1046,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
    }
  });

+  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+
  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
  loop {
@@ -1014,6 +1059,7 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
        log::error!("DEBUG: Accepted connection from {:?}", peer_addr);

        let upstream = upstream_url.clone();
+        let matcher = bypass_matcher.clone();

        tokio::task::spawn(async move {
          // Read first bytes to detect CONNECT requests
@@ -1108,7 +1154,9 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                  "DEBUG: Handling CONNECT manually for: {}",
                  String::from_utf8_lossy(&full_request[..full_request.len().min(200)])
                );
-                if let Err(e) = handle_connect_from_buffer(stream, full_request, upstream).await {
+                if let Err(e) =
+                  handle_connect_from_buffer(stream, full_request, upstream, matcher).await
+                {
                  log::error!("Error handling CONNECT request: {:?}", e);
                } else {
                  log::error!("DEBUG: CONNECT handled successfully");
@@ -1130,7 +1178,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                inner: stream,
              };
              let io = TokioIo::new(prepended_reader);
-              let service = service_fn(move |req| handle_request(req, upstream.clone()));
+              let service =
+                service_fn(move |req| handle_request(req, upstream.clone(), matcher.clone()));

              if let Err(err) = http1::Builder::new().serve_connection(io, service).await {
                log::error!("Error serving connection: {:?}", err);
@@ -1156,6 +1205,7 @@ async fn handle_connect_from_buffer(
  mut client_stream: TcpStream,
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1193,6 +1243,7 @@ async fn handle_connect_from_buffer(
  }

  // Connect to target (directly or via upstream proxy)
+  let should_bypass = bypass_matcher.should_bypass(target_host);
  let target_stream = match upstream_url.as_ref() {
    None => {
      // Direct connection
@@ -1202,6 +1253,10 @@ async fn handle_connect_from_buffer(
      // Direct connection
      TcpStream::connect((target_host, target_port)).await?
    }
+    _ if should_bypass => {
+      // Bypass rule matched - connect directly
+      TcpStream::connect((target_host, target_port)).await?
+    }
    Some(upstream_url_str) => {
      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
@@ -13,6 +12,8 @@ pub struct ProxyConfig {
  pub pid: Option<u32>,
  #[serde(default)]
  pub profile_id: Option<String>,
+  #[serde(default)]
+  pub bypass_rules: Vec<String>,
 }

 impl ProxyConfig {
@@ -25,6 +26,7 @@ impl ProxyConfig {
      local_url: None,
      pid: None,
      profile_id: None,
+      bypass_rules: Vec::new(),
    }
  }

@@ -32,18 +34,15 @@ impl ProxyConfig {
    self.profile_id = profile_id;
    self
  }
+
+  pub fn with_bypass_rules(mut self, bypass_rules: Vec<String>) -> Self {
+    self.bypass_rules = bypass_rules;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
-  let base_dirs = BaseDirs::new().expect("Failed to get base directories");
-  let mut path = base_dirs.data_local_dir().to_path_buf();
-  path.push(if cfg!(debug_assertions) {
-    "DonutBrowserDev"
-  } else {
-    "DonutBrowser"
-  });
-  path.push("proxies");
-  path
+  crate::app_dirs::proxies_dir()
 }

 pub fn save_proxy_config(config: &ProxyConfig) -> Result<(), Box<dyn std::error::Error>> {
@@ -132,7 +131,9 @@ pub fn generate_proxy_id() -> String {
 }

 pub fn is_process_running(pid: u32) -> bool {
-  use sysinfo::{Pid, System};
-  let system = System::new();
-  system.process(Pid::from(pid as usize)).is_some()
+  use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+  let system = System::new_with_specifics(
+    RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+  );
+  system.process(sysinfo::Pid::from_u32(pid)).is_some()
 }
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::fs::{self, create_dir_all};
 use std::path::PathBuf;
@@ -54,6 +53,8 @@ pub struct AppSettings {
  pub launch_on_login_declined: bool, // User permanently declined the launch-on-login prompt
  #[serde(default)]
  pub language: Option<String>, // ISO 639-1: "en", "es", "pt", "fr", "zh", "ja", "ru", or None for system default
+  #[serde(default)]
+  pub window_resize_warning_dismissed: bool,
 }

 #[derive(Debug, Serialize, Deserialize, Clone, Default)]
@@ -87,31 +88,16 @@ impl Default for AppSettings {
      mcp_token: None,
      launch_on_login_declined: false,
      language: None,
+      window_resize_warning_dismissed: false,
    }
  }
 }

-pub struct SettingsManager {
-  base_dirs: BaseDirs,
-  data_dir_override: Option<PathBuf>,
-}
+pub struct SettingsManager;

 impl SettingsManager {
-  fn new() -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: std::env::var("DONUTBROWSER_DATA_DIR")
-        .ok()
-        .map(PathBuf::from),
-    }
-  }
-
-  #[cfg(test)]
-  fn with_data_dir_override(dir: &std::path::Path) -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: Some(dir.to_path_buf()),
-    }
+  pub(crate) fn new() -> Self {
+    Self
  }

  pub fn instance() -> &'static SettingsManager {
@@ -119,18 +105,7 @@ impl SettingsManager {
  }

  pub fn get_settings_dir(&self) -> PathBuf {
-    if let Some(dir) = &self.data_dir_override {
-      return dir.join("settings");
-    }
-
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("settings");
-    path
+    crate::app_dirs::settings_dir()
  }

  pub fn get_settings_file(&self) -> PathBuf {
@@ -153,23 +128,10 @@ impl SettingsManager {

    // Parse the settings file - serde will use default values for missing fields
    match serde_json::from_str::<AppSettings>(&content) {
-      Ok(settings) => {
-        // Save the settings back to ensure any missing fields are written with defaults
-        if let Err(e) = self.save_settings(&settings) {
-          log::warn!("Warning: Failed to update settings file with defaults: {e}");
-        }
-        Ok(settings)
-      }
+      Ok(settings) => Ok(settings),
      Err(e) => {
        log::warn!("Warning: Failed to parse settings file, using defaults: {e}");
-        let default_settings = AppSettings::default();
-
-        // Try to save default settings to fix the corrupted file
-        if let Err(save_error) = self.save_settings(&default_settings) {
-          log::warn!("Warning: Failed to save default settings: {save_error}");
-        }
-
-        Ok(default_settings)
+        Ok(AppSettings::default())
      }
    }
  }
@@ -809,6 +771,15 @@ pub async fn save_app_settings(
    settings.mcp_token = None;
  }

+  // Preserve server-managed flags that the frontend may not have up-to-date.
+  // Read directly from file to avoid load_settings' save-on-load behavior.
+  if let Ok(content) = std::fs::read_to_string(manager.get_settings_file()) {
+    if let Ok(current) = serde_json::from_str::<AppSettings>(&content) {
+      settings.window_resize_warning_dismissed = current.window_resize_warning_dismissed;
+      settings.launch_on_login_declined = current.launch_on_login_declined;
+    }
+  }
+
  let mut persist_settings = settings.clone();
  persist_settings.api_token = None;
  persist_settings.mcp_token = None;
@@ -926,6 +897,27 @@ pub async fn save_sync_settings(
  })
 }

+#[tauri::command]
+pub async fn dismiss_window_resize_warning() -> Result<(), String> {
+  let manager = SettingsManager::instance();
+  let mut settings = manager
+    .load_settings()
+    .map_err(|e| format!("Failed to load settings: {e}"))?;
+  settings.window_resize_warning_dismissed = true;
+  manager
+    .save_settings(&settings)
+    .map_err(|e| format!("Failed to save settings: {e}"))
+}
+
+#[tauri::command]
+pub async fn get_window_resize_warning_dismissed() -> Result<bool, String> {
+  let manager = SettingsManager::instance();
+  let settings = manager
+    .load_settings()
+    .map_err(|e| format!("Failed to load settings: {e}"))?;
+  Ok(settings.window_resize_warning_dismissed)
+}
+
 #[tauri::command]
 pub fn get_system_language() -> String {
  sys_locale::get_locale()
@@ -950,16 +942,16 @@ mod tests {
  use super::*;
  use tempfile::TempDir;

-  fn create_test_settings_manager() -> (SettingsManager, TempDir) {
+  fn create_test_settings_manager() -> (SettingsManager, TempDir, crate::app_dirs::TestDirGuard) {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");
-    let manager = SettingsManager::with_data_dir_override(temp_dir.path());
-    (manager, temp_dir)
+    let guard = crate::app_dirs::set_test_data_dir(temp_dir.path().to_path_buf());
+    let manager = SettingsManager::new();
+    (manager, temp_dir, guard)
  }

  #[test]
  fn test_settings_manager_creation() {
-    let (_manager, _temp_dir) = create_test_settings_manager();
-    // Test passes if no panic occurs
+    let (_manager, _temp_dir, _guard) = create_test_settings_manager();
  }

  #[test]
@@ -992,7 +984,7 @@ mod tests {

  #[test]
  fn test_load_settings_nonexistent_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.load_settings();
    assert!(
@@ -1010,7 +1002,7 @@ mod tests {

  #[test]
  fn test_save_and_load_settings() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let test_settings = AppSettings {
      set_as_default_browser: true,
@@ -1027,13 +1019,12 @@ mod tests {
      mcp_token: None,
      launch_on_login_declined: false,
      language: None,
+      window_resize_warning_dismissed: false,
    };

-    // Save settings
    let save_result = manager.save_settings(&test_settings);
    assert!(save_result.is_ok(), "Should save settings successfully");

-    // Load settings back
    let load_result = manager.load_settings();
    assert!(load_result.is_ok(), "Should load settings successfully");

@@ -1050,7 +1041,7 @@ mod tests {

  #[test]
  fn test_load_table_sorting_nonexistent_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.load_table_sorting();
    assert!(
@@ -1065,18 +1056,16 @@ mod tests {

  #[test]
  fn test_save_and_load_table_sorting() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let test_sorting = TableSortingSettings {
      column: "browser".to_string(),
      direction: "desc".to_string(),
    };

-    // Save sorting
    let save_result = manager.save_table_sorting(&test_sorting);
    assert!(save_result.is_ok(), "Should save sorting successfully");

-    // Load sorting back
    let load_result = manager.load_table_sorting();
    assert!(load_result.is_ok(), "Should load sorting successfully");

@@ -1093,45 +1082,37 @@ mod tests {

  #[test]
  fn test_should_show_launch_on_login_prompt() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.should_show_launch_on_login_prompt();
    assert!(result.is_ok(), "Should not fail");

-    // By default, should show prompt (not declined, autostart not enabled)
    let _should_show = result.unwrap();
-    // Note: The actual value depends on system autostart state, so we just test it doesn't fail
  }

  #[test]
  fn test_decline_launch_on_login() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

-    // Initially not declined
    let settings = manager.load_settings().unwrap();
    assert!(!settings.launch_on_login_declined);

-    // Decline
    manager.decline_launch_on_login().unwrap();

-    // Should be declined now
    let settings = manager.load_settings().unwrap();
    assert!(settings.launch_on_login_declined);
  }

  #[test]
  fn test_load_corrupted_settings_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

-    // Create settings directory
    let settings_dir = manager.get_settings_dir();
    fs::create_dir_all(&settings_dir).expect("Should create settings directory");

-    // Write corrupted JSON
    let settings_file = manager.get_settings_file();
    fs::write(&settings_file, "{ invalid json }").expect("Should write corrupted file");

-    // Should handle corrupted file gracefully
    let result = manager.load_settings();
    assert!(
      result.is_ok(),
@@ -1151,7 +1132,7 @@ mod tests {

  #[test]
  fn test_settings_file_paths() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let settings_dir = manager.get_settings_dir();
    let settings_file = manager.get_settings_file();
@@ -0,0 +1,351 @@
+use aes_gcm::{
+  aead::{Aead, AeadCore, KeyInit, OsRng},
+  Aes256Gcm, Key,
+};
+use argon2::{password_hash::SaltString, Argon2, PasswordHasher};
+use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
+
+const E2E_FILE_HEADER: &[u8] = b"DBE2E";
+const E2E_FILE_VERSION: u8 = 1;
+
+fn get_e2e_password_path() -> std::path::PathBuf {
+  crate::app_dirs::settings_dir().join("e2e_password.dat")
+}
+
+fn get_vault_password() -> String {
+  env!("DONUT_BROWSER_VAULT_PASSWORD").to_string()
+}
+
+pub fn store_e2e_password(password: &str) -> Result<(), String> {
+  let file_path = get_e2e_password_path();
+
+  if let Some(parent) = file_path.parent() {
+    std::fs::create_dir_all(parent).map_err(|e| format!("Failed to create directory: {e}"))?;
+  }
+
+  let vault_password = get_vault_password();
+  let salt = SaltString::generate(&mut OsRng);
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(vault_password.as_bytes(), &salt)
+    .map_err(|e| format!("Argon2 key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let key_bytes: [u8; 32] = hash_bytes[..32]
+    .try_into()
+    .map_err(|_| "Invalid key length")?;
+  let key = Key::<Aes256Gcm>::from(key_bytes);
+  let cipher = Aes256Gcm::new(&key);
+  let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
+
+  let ciphertext = cipher
+    .encrypt(&nonce, password.as_bytes())
+    .map_err(|e| format!("Encryption failed: {e}"))?;
+
+  let mut file_data = Vec::new();
+  file_data.extend_from_slice(E2E_FILE_HEADER);
+  file_data.push(E2E_FILE_VERSION);
+
+  let salt_str = salt.as_str();
+  file_data.push(salt_str.len() as u8);
+  file_data.extend_from_slice(salt_str.as_bytes());
+  file_data.extend_from_slice(&nonce);
+  file_data.extend_from_slice(&(ciphertext.len() as u32).to_le_bytes());
+  file_data.extend_from_slice(&ciphertext);
+
+  std::fs::write(&file_path, file_data)
+    .map_err(|e| format!("Failed to write e2e password file: {e}"))?;
+
+  Ok(())
+}
+
+pub fn load_e2e_password() -> Result<Option<String>, String> {
+  let file_path = get_e2e_password_path();
+  if !file_path.exists() {
+    return Ok(None);
+  }
+
+  let file_data =
+    std::fs::read(&file_path).map_err(|e| format!("Failed to read e2e password file: {e}"))?;
+
+  if file_data.len() < E2E_FILE_HEADER.len() + 1 {
+    return Ok(None);
+  }
+
+  if &file_data[..E2E_FILE_HEADER.len()] != E2E_FILE_HEADER {
+    return Ok(None);
+  }
+
+  let version = file_data[E2E_FILE_HEADER.len()];
+  if version != E2E_FILE_VERSION {
+    return Ok(None);
+  }
+
+  let mut offset = E2E_FILE_HEADER.len() + 1;
+
+  if offset >= file_data.len() {
+    return Ok(None);
+  }
+  let salt_len = file_data[offset] as usize;
+  offset += 1;
+
+  if offset + salt_len > file_data.len() {
+    return Ok(None);
+  }
+  let salt_str = std::str::from_utf8(&file_data[offset..offset + salt_len])
+    .map_err(|_| "Invalid salt encoding")?;
+  offset += salt_len;
+
+  let salt = SaltString::from_b64(salt_str).map_err(|e| format!("Invalid salt: {e}"))?;
+
+  if offset + 12 > file_data.len() {
+    return Ok(None);
+  }
+  let nonce_bytes: [u8; 12] = file_data[offset..offset + 12]
+    .try_into()
+    .map_err(|_| "Invalid nonce")?;
+  let nonce = aes_gcm::Nonce::from(nonce_bytes);
+  offset += 12;
+
+  if offset + 4 > file_data.len() {
+    return Ok(None);
+  }
+  let ciphertext_len =
+    u32::from_le_bytes(file_data[offset..offset + 4].try_into().unwrap()) as usize;
+  offset += 4;
+
+  if offset + ciphertext_len > file_data.len() {
+    return Ok(None);
+  }
+  let ciphertext = &file_data[offset..offset + ciphertext_len];
+
+  let vault_password = get_vault_password();
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(vault_password.as_bytes(), &salt)
+    .map_err(|e| format!("Argon2 key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let key_bytes: [u8; 32] = hash_bytes[..32]
+    .try_into()
+    .map_err(|_| "Invalid key length")?;
+  let key = Key::<Aes256Gcm>::from(key_bytes);
+  let cipher = Aes256Gcm::new(&key);
+
+  let plaintext = cipher
+    .decrypt(&nonce, ciphertext)
+    .map_err(|e| format!("Decryption failed: {e}"))?;
+
+  let password =
+    String::from_utf8(plaintext).map_err(|e| format!("Invalid UTF-8 in password: {e}"))?;
+
+  Ok(Some(password))
+}
+
+pub fn has_e2e_password() -> bool {
+  get_e2e_password_path().exists()
+}
+
+pub fn remove_e2e_password() -> Result<(), String> {
+  let file_path = get_e2e_password_path();
+  if file_path.exists() {
+    std::fs::remove_file(&file_path)
+      .map_err(|e| format!("Failed to remove e2e password file: {e}"))?;
+  }
+  Ok(())
+}
+
+/// Derive a per-profile encryption key using Argon2id
+pub fn derive_profile_key(user_password: &str, profile_salt: &str) -> Result<[u8; 32], String> {
+  let salt_bytes = BASE64
+    .decode(profile_salt)
+    .map_err(|e| format!("Invalid salt encoding: {e}"))?;
+
+  let salt = SaltString::encode_b64(&salt_bytes)
+    .map_err(|e| format!("Failed to create salt string: {e}"))?;
+
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(user_password.as_bytes(), &salt)
+    .map_err(|e| format!("Key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let mut key = [0u8; 32];
+  key.copy_from_slice(&hash_bytes[..32]);
+  Ok(key)
+}
+
+/// Generate a random 16-byte salt, base64-encoded
+pub fn generate_salt() -> String {
+  let mut salt = [0u8; 16];
+  use aes_gcm::aead::rand_core::RngCore;
+  OsRng.fill_bytes(&mut salt);
+  BASE64.encode(salt)
+}
+
+/// Encrypt bytes with AES-256-GCM. Output format: [nonce 12B][ciphertext]
+pub fn encrypt_bytes(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>, String> {
+  let aes_key = Key::<Aes256Gcm>::from(*key);
+  let cipher = Aes256Gcm::new(&aes_key);
+  let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
+
+  let ciphertext = cipher
+    .encrypt(&nonce, plaintext)
+    .map_err(|e| format!("Encryption failed: {e}"))?;
+
+  let mut output = Vec::with_capacity(12 + ciphertext.len());
+  output.extend_from_slice(&nonce);
+  output.extend_from_slice(&ciphertext);
+  Ok(output)
+}
+
+/// Decrypt bytes encrypted with encrypt_bytes. Input format: [nonce 12B][ciphertext]
+pub fn decrypt_bytes(key: &[u8; 32], encrypted: &[u8]) -> Result<Vec<u8>, String> {
+  if encrypted.len() < 12 {
+    return Err("Encrypted data too short".to_string());
+  }
+
+  let nonce_bytes: [u8; 12] = encrypted[..12].try_into().map_err(|_| "Invalid nonce")?;
+  let nonce = aes_gcm::Nonce::from(nonce_bytes);
+  let ciphertext = &encrypted[12..];
+
+  let aes_key = Key::<Aes256Gcm>::from(*key);
+  let cipher = Aes256Gcm::new(&aes_key);
+
+  cipher
+    .decrypt(&nonce, ciphertext)
+    .map_err(|e| format!("Decryption failed: {e}"))
+}
+
+// Tauri commands
+
+#[tauri::command]
+pub fn set_e2e_password(password: String) -> Result<(), String> {
+  if password.len() < 8 {
+    return Err("Password must be at least 8 characters".to_string());
+  }
+  store_e2e_password(&password)
+}
+
+#[tauri::command]
+pub fn check_has_e2e_password() -> bool {
+  has_e2e_password()
+}
+
+#[tauri::command]
+pub fn delete_e2e_password() -> Result<(), String> {
+  remove_e2e_password()
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_encrypt_decrypt_roundtrip() {
+    let key = [42u8; 32];
+    let plaintext = b"Hello, World!";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext);
+  }
+
+  #[test]
+  fn test_encrypt_decrypt_empty_data() {
+    let key = [1u8; 32];
+    let plaintext = b"";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext.to_vec());
+  }
+
+  #[test]
+  fn test_encrypt_decrypt_large_data() {
+    let key = [7u8; 32];
+    let plaintext = vec![0xABu8; 1_048_576]; // 1MB
+    let encrypted = encrypt_bytes(&key, &plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext);
+  }
+
+  #[test]
+  fn test_different_keys_different_ciphertext() {
+    let key1 = [1u8; 32];
+    let key2 = [2u8; 32];
+    let plaintext = b"same data";
+    let encrypted1 = encrypt_bytes(&key1, plaintext).unwrap();
+    let encrypted2 = encrypt_bytes(&key2, plaintext).unwrap();
+    // Nonces are random so ciphertexts will differ regardless,
+    // but decrypting with wrong key should fail
+    assert!(decrypt_bytes(&key2, &encrypted1).is_err());
+    assert!(decrypt_bytes(&key1, &encrypted2).is_err());
+  }
+
+  #[test]
+  fn test_nonce_uniqueness() {
+    let key = [5u8; 32];
+    let plaintext = b"same data encrypted twice";
+    let encrypted1 = encrypt_bytes(&key, plaintext).unwrap();
+    let encrypted2 = encrypt_bytes(&key, plaintext).unwrap();
+    // Different nonces should produce different ciphertext
+    assert_ne!(encrypted1, encrypted2);
+    // But both should decrypt to the same plaintext
+    assert_eq!(
+      decrypt_bytes(&key, &encrypted1).unwrap(),
+      decrypt_bytes(&key, &encrypted2).unwrap()
+    );
+  }
+
+  #[test]
+  fn test_wrong_key_fails() {
+    let key = [10u8; 32];
+    let wrong_key = [20u8; 32];
+    let plaintext = b"secret data";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    assert!(decrypt_bytes(&wrong_key, &encrypted).is_err());
+  }
+
+  #[test]
+  fn test_key_derivation_deterministic() {
+    let salt = generate_salt();
+    let key1 = derive_profile_key("my_password", &salt).unwrap();
+    let key2 = derive_profile_key("my_password", &salt).unwrap();
+    assert_eq!(key1, key2);
+  }
+
+  #[test]
+  fn test_key_derivation_different_salts() {
+    let salt1 = generate_salt();
+    let salt2 = generate_salt();
+    let key1 = derive_profile_key("my_password", &salt1).unwrap();
+    let key2 = derive_profile_key("my_password", &salt2).unwrap();
+    assert_ne!(key1, key2);
+  }
+
+  #[test]
+  fn test_salt_generation_unique() {
+    let salt1 = generate_salt();
+    let salt2 = generate_salt();
+    assert_ne!(salt1, salt2);
+  }
+
+  #[test]
+  fn test_password_storage_roundtrip() {
+    let password = "test_password_12345";
+    store_e2e_password(password).unwrap();
+    assert!(has_e2e_password());
+    let loaded = load_e2e_password().unwrap();
+    assert_eq!(loaded, Some(password.to_string()));
+    remove_e2e_password().unwrap();
+    assert!(!has_e2e_password());
+  }
+
+  #[test]
+  fn test_decrypt_too_short_data() {
+    let key = [1u8; 32];
+    assert!(decrypt_bytes(&key, &[0u8; 5]).is_err());
+  }
+}
@@ -52,6 +52,8 @@ pub struct SyncManifest {
  #[serde(rename = "excludeGlobs")]
  pub exclude_globs: Vec<String>,
  pub files: Vec<ManifestFileEntry>,
+  #[serde(default)]
+  pub encrypted: bool,
 }

 impl SyncManifest {
@@ -64,6 +66,7 @@ impl SyncManifest {
      updated_at: now,
      exclude_globs,
      files: Vec::new(),
+      encrypted: false,
    }
  }

@@ -547,6 +550,7 @@ mod tests {
          hash: "def".to_string(),
        },
      ],
+      encrypted: false,
    };

    let diff = compute_diff(&local, None);
@@ -588,6 +592,7 @@ mod tests {
          hash: "new".to_string(),
        },
      ],
+      encrypted: false,
    };

    let remote = SyncManifest {
@@ -616,6 +621,7 @@ mod tests {
          hash: "gone".to_string(),
        },
      ],
+      encrypted: false,
    };

    let diff = compute_diff(&local, Some(&remote));
@@ -634,4 +640,22 @@ mod tests {
      .files_to_delete_remote
      .contains(&"deleted.txt".to_string()));
  }
+
+  #[test]
+  fn test_manifest_encrypted_flag_default() {
+    let json = r#"{"version":1,"profileId":"test","generatedAt":"2024-01-01T00:00:00Z","updatedAt":"2024-01-01T00:00:00Z","excludeGlobs":[],"files":[]}"#;
+    let manifest: SyncManifest = serde_json::from_str(json).unwrap();
+    assert!(!manifest.encrypted);
+  }
+
+  #[test]
+  fn test_manifest_with_encrypted_flag() {
+    let json = r#"{"version":1,"profileId":"test","generatedAt":"2024-01-01T00:00:00Z","updatedAt":"2024-01-01T00:00:00Z","excludeGlobs":[],"files":[],"encrypted":true}"#;
+    let manifest: SyncManifest = serde_json::from_str(json).unwrap();
+    assert!(manifest.encrypted);
+
+    let serialized = serde_json::to_string(&manifest).unwrap();
+    let deserialized: SyncManifest = serde_json::from_str(&serialized).unwrap();
+    assert!(deserialized.encrypted);
+  }
 }
@@ -1,4 +1,5 @@
 mod client;
+pub mod encryption;
 mod engine;
 pub mod manifest;
 pub mod scheduler;
@@ -6,12 +7,15 @@ pub mod subscription;
 pub mod types;

 pub use client::SyncClient;
+pub use encryption::{check_has_e2e_password, delete_e2e_password, set_e2e_password};
 pub use engine::{
-  enable_group_sync_if_needed, enable_proxy_sync_if_needed, is_group_in_use_by_synced_profile,
+  enable_group_sync_if_needed, enable_proxy_sync_if_needed, enable_sync_for_all_entities,
+  enable_vpn_sync_if_needed, get_unsynced_entity_counts, is_group_in_use_by_synced_profile,
  is_group_used_by_synced_profile, is_proxy_in_use_by_synced_profile,
-  is_proxy_used_by_synced_profile, request_profile_sync, set_group_sync_enabled,
-  set_profile_sync_enabled, set_proxy_sync_enabled, sync_profile, trigger_sync_for_profile,
-  SyncEngine,
+  is_proxy_used_by_synced_profile, is_sync_configured, is_vpn_in_use_by_synced_profile,
+  is_vpn_used_by_synced_profile, request_profile_sync, set_extension_group_sync_enabled,
+  set_extension_sync_enabled, set_group_sync_enabled, set_profile_sync_mode,
+  set_proxy_sync_enabled, set_vpn_sync_enabled, sync_profile, trigger_sync_for_profile, SyncEngine,
 };
 pub use manifest::{compute_diff, generate_manifest, HashCache, ManifestDiff, SyncManifest};
 pub use scheduler::{get_global_scheduler, set_global_scheduler, SyncScheduler};
@@ -34,6 +34,9 @@ pub struct SyncScheduler {
  pending_profiles: Arc<Mutex<HashMap<String, ProfileStopTime>>>,
  pending_proxies: Arc<Mutex<HashSet<String>>>,
  pending_groups: Arc<Mutex<HashSet<String>>>,
+  pending_vpns: Arc<Mutex<HashSet<String>>>,
+  pending_extensions: Arc<Mutex<HashSet<String>>>,
+  pending_extension_groups: Arc<Mutex<HashSet<String>>>,
  pending_tombstones: Arc<Mutex<Vec<(String, String)>>>,
  running_profiles: Arc<Mutex<HashSet<String>>>,
  in_flight_profiles: Arc<Mutex<HashSet<String>>>,
@@ -52,6 +55,9 @@ impl SyncScheduler {
      pending_profiles: Arc::new(Mutex::new(HashMap::new())),
      pending_proxies: Arc::new(Mutex::new(HashSet::new())),
      pending_groups: Arc::new(Mutex::new(HashSet::new())),
+      pending_vpns: Arc::new(Mutex::new(HashSet::new())),
+      pending_extensions: Arc::new(Mutex::new(HashSet::new())),
+      pending_extension_groups: Arc::new(Mutex::new(HashSet::new())),
      pending_tombstones: Arc::new(Mutex::new(Vec::new())),
      running_profiles: Arc::new(Mutex::new(HashSet::new())),
      in_flight_profiles: Arc::new(Mutex::new(HashSet::new())),
@@ -92,6 +98,24 @@ impl SyncScheduler {
    }
    drop(pending_groups);

+    let pending_vpns = self.pending_vpns.lock().await;
+    if !pending_vpns.is_empty() {
+      return true;
+    }
+    drop(pending_vpns);
+
+    let pending_extensions = self.pending_extensions.lock().await;
+    if !pending_extensions.is_empty() {
+      return true;
+    }
+    drop(pending_extensions);
+
+    let pending_extension_groups = self.pending_extension_groups.lock().await;
+    if !pending_extension_groups.is_empty() {
+      return true;
+    }
+    drop(pending_extension_groups);
+
    let pending_tombstones = self.pending_tombstones.lock().await;
    if !pending_tombstones.is_empty() {
      return true;
@@ -190,11 +214,26 @@ impl SyncScheduler {
    pending.insert(proxy_id);
  }

+  pub async fn queue_vpn_sync(&self, vpn_id: String) {
+    let mut pending = self.pending_vpns.lock().await;
+    pending.insert(vpn_id);
+  }
+
  pub async fn queue_group_sync(&self, group_id: String) {
    let mut pending = self.pending_groups.lock().await;
    pending.insert(group_id);
  }

+  pub async fn queue_extension_sync(&self, extension_id: String) {
+    let mut pending = self.pending_extensions.lock().await;
+    pending.insert(extension_id);
+  }
+
+  pub async fn queue_extension_group_sync(&self, extension_group_id: String) {
+    let mut pending = self.pending_extension_groups.lock().await;
+    pending.insert(extension_group_id);
+  }
+
  pub async fn queue_tombstone(&self, entity_type: String, entity_id: String) {
    let mut pending = self.pending_tombstones.lock().await;
    if !pending
@@ -219,7 +258,10 @@ impl SyncScheduler {
      }
    };

-    let sync_enabled_profiles: Vec<_> = profiles.into_iter().filter(|p| p.sync_enabled).collect();
+    let sync_enabled_profiles: Vec<_> = profiles
+      .into_iter()
+      .filter(|p| p.is_sync_enabled() && !p.is_cross_os())
+      .collect();

    if sync_enabled_profiles.is_empty() {
      log::debug!("No sync-enabled profiles found");
@@ -269,6 +311,9 @@ impl SyncScheduler {
              SyncWorkItem::Profile(id) => scheduler.queue_profile_sync(id).await,
              SyncWorkItem::Proxy(id) => scheduler.queue_proxy_sync(id).await,
              SyncWorkItem::Group(id) => scheduler.queue_group_sync(id).await,
+              SyncWorkItem::Vpn(id) => scheduler.queue_vpn_sync(id).await,
+              SyncWorkItem::Extension(id) => scheduler.queue_extension_sync(id).await,
+              SyncWorkItem::ExtensionGroup(id) => scheduler.queue_extension_group_sync(id).await,
              SyncWorkItem::Tombstone(entity_type, entity_id) => {
                scheduler.queue_tombstone(entity_type, entity_id).await
              }
@@ -288,6 +333,9 @@ impl SyncScheduler {
    self.process_pending_profiles(app_handle).await;
    self.process_pending_proxies(app_handle).await;
    self.process_pending_groups(app_handle).await;
+    self.process_pending_vpns(app_handle).await;
+    self.process_pending_extensions(app_handle).await;
+    self.process_pending_extension_groups(app_handle).await;
    self.process_pending_tombstones(app_handle).await;
  }

@@ -338,7 +386,7 @@ impl SyncScheduler {
        profile_manager.list_profiles().ok().and_then(|profiles| {
          profiles
            .into_iter()
-            .find(|p| p.id.to_string() == profile_id && p.sync_enabled)
+            .find(|p| p.id.to_string() == profile_id && p.is_sync_enabled() && !p.is_cross_os())
        })
      };

@@ -366,6 +414,9 @@ impl SyncScheduler {
          && self.pending_profiles.lock().await.is_empty()
          && self.pending_proxies.lock().await.is_empty()
          && self.pending_groups.lock().await.is_empty()
+          && self.pending_vpns.lock().await.is_empty()
+          && self.pending_extensions.lock().await.is_empty()
+          && self.pending_extension_groups.lock().await.is_empty()
      };

      match result {
@@ -537,7 +588,145 @@ impl SyncScheduler {
    }
  }

-  async fn process_pending_tombstones(&self, app_handle: &tauri::AppHandle) {
+  async fn process_pending_vpns(&self, app_handle: &tauri::AppHandle) {
+    let vpns_to_sync: Vec<String> = {
+      let mut pending = self.pending_vpns.lock().await;
+      let list: Vec<String> = pending.drain().collect();
+      list
+    };
+
+    if vpns_to_sync.is_empty() {
+      return;
+    }
+
+    match SyncEngine::create_from_settings(app_handle).await {
+      Ok(engine) => {
+        for vpn_id in vpns_to_sync {
+          log::info!("Syncing VPN {}", vpn_id);
+          let _ = events::emit(
+            "vpn-sync-status",
+            serde_json::json!({
+              "id": vpn_id,
+              "status": "syncing"
+            }),
+          );
+          match engine.sync_vpn_by_id_with_handle(&vpn_id, app_handle).await {
+            Ok(()) => {
+              let _ = events::emit(
+                "vpn-sync-status",
+                serde_json::json!({
+                  "id": vpn_id,
+                  "status": "synced"
+                }),
+              );
+            }
+            Err(e) => {
+              log::error!("Failed to sync VPN {}: {}", vpn_id, e);
+              let _ = events::emit(
+                "vpn-sync-status",
+                serde_json::json!({
+                  "id": vpn_id,
+                  "status": "error"
+                }),
+              );
+            }
+          }
+        }
+
+        if !self.is_sync_in_progress().await {
+          log::debug!("All syncs completed after VPN sync, triggering cleanup");
+          let registry =
+            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+          if let Err(e) = registry.cleanup_unused_binaries() {
+            log::warn!("Cleanup after sync failed: {e}");
+          } else {
+            log::debug!("Cleanup after sync completed successfully");
+          }
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to create sync engine: {}", e);
+      }
+    }
+  }
+
+  async fn process_pending_extensions(&self, app_handle: &tauri::AppHandle) {
+    let extensions_to_sync: Vec<String> = {
+      let mut pending = self.pending_extensions.lock().await;
+      let list: Vec<String> = pending.drain().collect();
+      list
+    };
+
+    if extensions_to_sync.is_empty() {
+      return;
+    }
+
+    match SyncEngine::create_from_settings(app_handle).await {
+      Ok(engine) => {
+        for ext_id in extensions_to_sync {
+          log::info!("Syncing extension {}", ext_id);
+          if let Err(e) = engine
+            .sync_extension_by_id_with_handle(&ext_id, app_handle)
+            .await
+          {
+            log::error!("Failed to sync extension {}: {}", ext_id, e);
+          }
+        }
+
+        if !self.is_sync_in_progress().await {
+          log::debug!("All syncs completed after extension sync, triggering cleanup");
+          let registry =
+            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+          if let Err(e) = registry.cleanup_unused_binaries() {
+            log::warn!("Cleanup after sync failed: {e}");
+          }
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to create sync engine: {}", e);
+      }
+    }
+  }
+
+  async fn process_pending_extension_groups(&self, app_handle: &tauri::AppHandle) {
+    let groups_to_sync: Vec<String> = {
+      let mut pending = self.pending_extension_groups.lock().await;
+      let list: Vec<String> = pending.drain().collect();
+      list
+    };
+
+    if groups_to_sync.is_empty() {
+      return;
+    }
+
+    match SyncEngine::create_from_settings(app_handle).await {
+      Ok(engine) => {
+        for group_id in groups_to_sync {
+          log::info!("Syncing extension group {}", group_id);
+          if let Err(e) = engine
+            .sync_extension_group_by_id_with_handle(&group_id, app_handle)
+            .await
+          {
+            log::error!("Failed to sync extension group {}: {}", group_id, e);
+          }
+        }
+
+        if !self.is_sync_in_progress().await {
+          log::debug!("All syncs completed after extension group sync, triggering cleanup");
+          let registry =
+            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+          if let Err(e) = registry.cleanup_unused_binaries() {
+            log::warn!("Cleanup after sync failed: {e}");
+          }
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to create sync engine: {}", e);
+      }
+    }
+  }
+
+  async fn process_pending_tombstones(&self, _app_handle: &tauri::AppHandle) {
    let tombstones: Vec<(String, String)> = {
      let mut pending = self.pending_tombstones.lock().await;
      std::mem::take(&mut *pending)
@@ -551,61 +740,94 @@ impl SyncScheduler {
      log::info!("Processing tombstone for {} {}", entity_type, entity_id);
      match entity_type.as_str() {
        "profile" => {
-          let exists_locally = {
-            let profile_manager = ProfileManager::instance();
+          let profile_manager = ProfileManager::instance();
+          let profile_to_delete = {
            if let Ok(profiles) = profile_manager.list_profiles() {
              let profile_uuid = uuid::Uuid::parse_str(&entity_id).ok();
-              profile_uuid
-                .as_ref()
-                .map(|uuid| profiles.iter().any(|p| p.id == *uuid))
-                .unwrap_or(false)
+              profile_uuid.and_then(|uuid| profiles.into_iter().find(|p| p.id == uuid))
            } else {
-              false
+              None
            }
          };

-          if exists_locally {
-            // Profile exists locally but was deleted remotely - delete locally
+          if let Some(mut profile) = profile_to_delete {
            log::info!(
-              "Profile {} exists locally, deleting due to remote tombstone",
+              "Profile {} was deleted remotely, disabling sync locally",
              entity_id
            );
-            // Note: We don't actually delete here to avoid data loss.
-            // The user should be notified or we could add a confirmation step.
-            // For now, just log it.
-          } else {
-            // Profile doesn't exist locally - check if it still exists remotely
-            // (tombstone might have been created but profile files still exist)
-            // Try to download it
-            match SyncEngine::create_from_settings(app_handle).await {
-              Ok(engine) => {
-                if let Ok(true) = engine
-                  .download_profile_if_missing(app_handle, &entity_id)
-                  .await
-                {
-                  log::info!(
-                    "Downloaded missing profile {} from remote storage",
-                    entity_id
-                  );
-                }
-              }
-              Err(e) => {
-                log::debug!("Sync not configured, skipping profile download: {}", e);
-              }
+            profile.sync_mode = crate::profile::types::SyncMode::Disabled;
+            if let Err(e) = profile_manager.save_profile(&profile) {
+              log::warn!("Failed to disable sync for profile {}: {}", entity_id, e);
+            } else {
+              log::info!(
+                "Profile {} sync disabled due to remote tombstone (local copy kept)",
+                entity_id
+              );
+              let _ = events::emit("profiles-changed", ());
            }
          }
        }
        "proxy" => {
-          log::debug!(
-            "Proxy tombstone for {} - local deletion not implemented",
-            entity_id
-          );
+          let proxy_manager = &crate::proxy_manager::PROXY_MANAGER;
+          let proxies = proxy_manager.get_stored_proxies();
+          if let Some(proxy) = proxies.iter().find(|p| p.id == entity_id) {
+            if proxy.sync_enabled {
+              log::info!("Proxy {} was deleted remotely, deleting locally", entity_id);
+              let proxy_file = proxy_manager.get_proxy_file_path(&entity_id);
+              if proxy_file.exists() {
+                let _ = std::fs::remove_file(&proxy_file);
+              }
+              proxy_manager.remove_from_memory(&entity_id);
+              let _ = events::emit("stored-proxies-changed", ());
+            }
+          }
        }
        "group" => {
-          log::debug!(
-            "Group tombstone for {} - local deletion not implemented",
-            entity_id
-          );
+          let group_manager = crate::group_manager::GROUP_MANAGER.lock().unwrap();
+          let groups = group_manager.get_all_groups().unwrap_or_default();
+          if let Some(group) = groups.iter().find(|g| g.id == entity_id) {
+            if group.sync_enabled {
+              log::info!("Group {} was deleted remotely, deleting locally", entity_id);
+              let _ = group_manager.delete_group_internal(&entity_id);
+              let _ = events::emit("groups-changed", ());
+            }
+          }
+        }
+        "vpn" => {
+          let storage = crate::vpn::VPN_STORAGE.lock().unwrap();
+          if let Ok(vpn) = storage.load_config(&entity_id) {
+            if vpn.sync_enabled {
+              log::info!("VPN {} was deleted remotely, deleting locally", entity_id);
+              let _ = storage.delete_config(&entity_id);
+              let _ = events::emit("vpn-configs-changed", ());
+            }
+          }
+        }
+        "extension" => {
+          let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+          if let Ok(ext) = manager.get_extension(&entity_id) {
+            if ext.sync_enabled {
+              log::info!(
+                "Extension {} was deleted remotely, deleting locally",
+                entity_id
+              );
+              let _ = manager.delete_extension_internal(&entity_id);
+              let _ = events::emit("extensions-changed", ());
+            }
+          }
+        }
+        "extension_group" => {
+          let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+          if let Ok(group) = manager.get_group(&entity_id) {
+            if group.sync_enabled {
+              log::info!(
+                "Extension group {} was deleted remotely, deleting locally",
+                entity_id
+              );
+              let _ = manager.delete_group_internal(&entity_id);
+              let _ = events::emit("extensions-changed", ());
+            }
+          }
        }
        _ => {}
      }
@@ -23,6 +23,9 @@ pub enum SyncWorkItem {
  Profile(String),
  Proxy(String),
  Group(String),
+  Vpn(String),
+  Extension(String),
+  ExtensionGroup(String),
  Tombstone(String, String),
 }

@@ -205,8 +208,21 @@ impl SyncSubscription {
    data_line.and_then(|data| serde_json::from_str(data).ok())
  }

+  fn strip_team_prefix(key: &str) -> &str {
+    if key.starts_with("teams/") {
+      if let Some(rest) = key.find('/').and_then(|first_slash| {
+        key[first_slash + 1..]
+          .find('/')
+          .map(|second_slash| first_slash + 1 + second_slash + 1)
+      }) {
+        return &key[rest..];
+      }
+    }
+    key
+  }
+
  fn handle_event(event: &SubscribeEvent, work_tx: &mpsc::UnboundedSender<SyncWorkItem>) {
-    let Some(key) = &event.key else {
+    let Some(raw_key) = &event.key else {
      return;
    };

@@ -214,6 +230,8 @@ impl SyncSubscription {
      return;
    }

+    let key = Self::strip_team_prefix(raw_key);
+
    let work_item = if key.starts_with("profiles/") {
      key
        .strip_prefix("profiles/")
@@ -229,6 +247,21 @@ impl SyncSubscription {
        .strip_prefix("groups/")
        .and_then(|s| s.strip_suffix(".json"))
        .map(|s| SyncWorkItem::Group(s.to_string()))
+    } else if key.starts_with("vpns/") {
+      key
+        .strip_prefix("vpns/")
+        .and_then(|s| s.strip_suffix(".json"))
+        .map(|s| SyncWorkItem::Vpn(s.to_string()))
+    } else if key.starts_with("extensions/") {
+      key
+        .strip_prefix("extensions/")
+        .and_then(|s| s.strip_suffix(".json"))
+        .map(|s| SyncWorkItem::Extension(s.to_string()))
+    } else if key.starts_with("extension_groups/") {
+      key
+        .strip_prefix("extension_groups/")
+        .and_then(|s| s.strip_suffix(".json"))
+        .map(|s| SyncWorkItem::ExtensionGroup(s.to_string()))
    } else if key.starts_with("tombstones/") {
      key.strip_prefix("tombstones/").and_then(|rest| {
        if rest.starts_with("profiles/") {
@@ -246,6 +279,21 @@ impl SyncSubscription {
            .strip_prefix("groups/")
            .and_then(|s| s.strip_suffix(".json"))
            .map(|id| SyncWorkItem::Tombstone("group".to_string(), id.to_string()))
+        } else if rest.starts_with("vpns/") {
+          rest
+            .strip_prefix("vpns/")
+            .and_then(|s| s.strip_suffix(".json"))
+            .map(|id| SyncWorkItem::Tombstone("vpn".to_string(), id.to_string()))
+        } else if rest.starts_with("extensions/") {
+          rest
+            .strip_prefix("extensions/")
+            .and_then(|s| s.strip_suffix(".json"))
+            .map(|id| SyncWorkItem::Tombstone("extension".to_string(), id.to_string()))
+        } else if rest.starts_with("extension_groups/") {
+          rest
+            .strip_prefix("extension_groups/")
+            .and_then(|s| s.strip_suffix(".json"))
+            .map(|id| SyncWorkItem::Tombstone("extension_group".to_string(), id.to_string()))
        } else {
          None
        }
@@ -1,56 +1,22 @@
 use crate::profile::BrowserProfile;
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeSet;
 use std::fs;
-use std::path::{Path, PathBuf};

 #[derive(Debug, Serialize, Deserialize, Default, Clone)]
 struct TagsData {
  tags: Vec<String>,
 }

-pub struct TagManager {
-  base_dirs: BaseDirs,
-  data_dir_override: Option<PathBuf>,
-}
+pub struct TagManager;

 impl TagManager {
  pub fn new() -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: std::env::var("DONUTBROWSER_DATA_DIR")
-        .ok()
-        .map(PathBuf::from),
-    }
+    Self
  }

-  // Helper for tests to override data directory without global env var
-  #[allow(dead_code)]
-  pub fn with_data_dir_override(dir: &Path) -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: Some(dir.to_path_buf()),
-    }
-  }
-
-  fn get_tags_file_path(&self) -> PathBuf {
-    if let Some(dir) = &self.data_dir_override {
-      let mut override_path = dir.clone();
-      let _ = fs::create_dir_all(&override_path);
-      override_path.push("tags.json");
-      return override_path;
-    }
-
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("data");
-    path.push("tags.json");
-    path
+  fn get_tags_file_path(&self) -> std::path::PathBuf {
+    crate::app_dirs::data_subdir().join("tags.json")
  }

  fn load_tags_data(&self) -> Result<TagsData, Box<dyn std::error::Error>> {
@@ -0,0 +1,335 @@
+use lazy_static::lazy_static;
+use reqwest::Client;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use tokio::sync::{Mutex, RwLock};
+use tokio::task::JoinHandle;
+
+use crate::cloud_auth::{CloudAuthManager, CLOUD_API_URL, CLOUD_AUTH};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProfileLockInfo {
+  #[serde(rename = "profileId")]
+  pub profile_id: String,
+  #[serde(rename = "lockedBy")]
+  pub locked_by: String,
+  #[serde(rename = "lockedByEmail")]
+  pub locked_by_email: String,
+  #[serde(rename = "lockedAt")]
+  pub locked_at: String,
+  #[serde(rename = "expiresAt", default)]
+  pub expires_at: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+#[allow(dead_code)]
+struct AcquireLockResponse {
+  success: bool,
+  #[serde(rename = "lockedBy")]
+  locked_by: Option<String>,
+  #[serde(rename = "lockedByEmail")]
+  locked_by_email: Option<String>,
+}
+
+pub struct TeamLockManager {
+  locks: RwLock<HashMap<String, ProfileLockInfo>>,
+  heartbeat_handle: Mutex<Option<JoinHandle<()>>>,
+  connected_team_id: Mutex<Option<String>>,
+}
+
+lazy_static! {
+  pub static ref TEAM_LOCK: TeamLockManager = TeamLockManager::new();
+}
+
+impl TeamLockManager {
+  fn new() -> Self {
+    Self {
+      locks: RwLock::new(HashMap::new()),
+      heartbeat_handle: Mutex::new(None),
+      connected_team_id: Mutex::new(None),
+    }
+  }
+
+  pub async fn connect(&self, team_id: &str) {
+    log::info!("Connecting team lock manager for team: {team_id}");
+
+    {
+      let mut tid = self.connected_team_id.lock().await;
+      *tid = Some(team_id.to_string());
+    }
+
+    if let Err(e) = self.fetch_initial_locks(team_id).await {
+      log::warn!("Failed to fetch initial locks: {e}");
+    }
+
+    self.start_heartbeat_loop().await;
+  }
+
+  pub async fn disconnect(&self) {
+    log::info!("Disconnecting team lock manager");
+
+    {
+      let mut handle = self.heartbeat_handle.lock().await;
+      if let Some(h) = handle.take() {
+        h.abort();
+      }
+    }
+
+    {
+      let mut locks = self.locks.write().await;
+      locks.clear();
+    }
+
+    {
+      let mut tid = self.connected_team_id.lock().await;
+      *tid = None;
+    }
+  }
+
+  pub async fn acquire_lock(&self, profile_id: &str) -> Result<(), String> {
+    let team_id = self.get_team_id().await?;
+    let client = Client::new();
+
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let response = client
+      .post(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .json(&serde_json::json!({ "profileId": profile_id }))
+      .send()
+      .await
+      .map_err(|e| format!("Failed to acquire lock: {e}"))?;
+
+    if !response.status().is_success() {
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(format!("Lock acquisition failed ({status}): {body}"));
+    }
+
+    let result: AcquireLockResponse = response
+      .json()
+      .await
+      .map_err(|e| format!("Failed to parse lock response: {e}"))?;
+
+    if !result.success {
+      let email = result
+        .locked_by_email
+        .unwrap_or_else(|| "another user".to_string());
+      return Err(format!("Profile is in use by {email}"));
+    }
+
+    // Update local cache
+    if let Some(user) = CLOUD_AUTH.get_user().await {
+      let mut locks = self.locks.write().await;
+      locks.insert(
+        profile_id.to_string(),
+        ProfileLockInfo {
+          profile_id: profile_id.to_string(),
+          locked_by: user.user.id.clone(),
+          locked_by_email: user.user.email.clone(),
+          locked_at: chrono::Utc::now().to_rfc3339(),
+          expires_at: None,
+        },
+      );
+    }
+
+    let _ = crate::events::emit(
+      "team-lock-acquired",
+      serde_json::json!({ "profileId": profile_id }),
+    );
+
+    Ok(())
+  }
+
+  pub async fn release_lock(&self, profile_id: &str) -> Result<(), String> {
+    let team_id = self.get_team_id().await?;
+    let client = Client::new();
+
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}");
+    let _ = client
+      .delete(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .send()
+      .await;
+
+    {
+      let mut locks = self.locks.write().await;
+      locks.remove(profile_id);
+    }
+
+    let _ = crate::events::emit(
+      "team-lock-released",
+      serde_json::json!({ "profileId": profile_id }),
+    );
+
+    Ok(())
+  }
+
+  pub async fn get_locks(&self) -> Vec<ProfileLockInfo> {
+    let locks = self.locks.read().await;
+    locks.values().cloned().collect()
+  }
+
+  pub async fn get_lock_status(&self, profile_id: &str) -> Option<ProfileLockInfo> {
+    let locks = self.locks.read().await;
+    locks.get(profile_id).cloned()
+  }
+
+  pub async fn is_locked_by_another(&self, profile_id: &str) -> bool {
+    let locks = self.locks.read().await;
+    if let Some(lock) = locks.get(profile_id) {
+      if let Some(user) = CLOUD_AUTH.get_user().await {
+        return lock.locked_by != user.user.id;
+      }
+    }
+    false
+  }
+
+  async fn fetch_initial_locks(&self, team_id: &str) -> Result<(), String> {
+    let client = Client::new();
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let response = client
+      .get(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch locks: {e}"))?;
+
+    if !response.status().is_success() {
+      return Err("Failed to fetch locks".to_string());
+    }
+
+    let lock_list: Vec<ProfileLockInfo> = response
+      .json()
+      .await
+      .map_err(|e| format!("Failed to parse locks: {e}"))?;
+
+    let mut locks = self.locks.write().await;
+    locks.clear();
+    for lock in lock_list {
+      locks.insert(lock.profile_id.clone(), lock);
+    }
+
+    Ok(())
+  }
+
+  async fn start_heartbeat_loop(&self) {
+    let mut handle = self.heartbeat_handle.lock().await;
+    if let Some(h) = handle.take() {
+      h.abort();
+    }
+
+    let h = tokio::spawn(async move {
+      loop {
+        tokio::time::sleep(std::time::Duration::from_secs(30)).await;
+
+        let team_id = match TEAM_LOCK.get_team_id().await {
+          Ok(id) => id,
+          Err(_) => break,
+        };
+
+        let held_locks: Vec<String> = {
+          let locks = TEAM_LOCK.locks.read().await;
+          if let Some(user) = CLOUD_AUTH.get_user().await {
+            locks
+              .values()
+              .filter(|l| l.locked_by == user.user.id)
+              .map(|l| l.profile_id.clone())
+              .collect()
+          } else {
+            vec![]
+          }
+        };
+
+        for profile_id in held_locks {
+          let client = Client::new();
+          if let Ok(Some(token)) = CloudAuthManager::load_access_token() {
+            let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}/heartbeat");
+            let _ = client
+              .post(&url)
+              .header("Authorization", format!("Bearer {token}"))
+              .send()
+              .await;
+          }
+        }
+
+        // Refresh lock state from server
+        if let Err(e) = TEAM_LOCK.fetch_initial_locks(&team_id).await {
+          log::debug!("Failed to refresh locks: {e}");
+        }
+      }
+    });
+
+    *handle = Some(h);
+  }
+
+  async fn get_team_id(&self) -> Result<String, String> {
+    let tid = self.connected_team_id.lock().await;
+    tid
+      .clone()
+      .ok_or_else(|| "Not connected to a team".to_string())
+  }
+}
+
+/// Acquire team lock if profile is sync-enabled and user is on a team.
+/// Returns Ok(()) if lock acquired or not applicable, Err with message if locked by another.
+pub async fn acquire_team_lock_if_needed(
+  profile: &crate::profile::BrowserProfile,
+) -> Result<(), String> {
+  if !profile.is_sync_enabled() {
+    return Ok(());
+  }
+  if !CLOUD_AUTH.is_on_team_plan().await {
+    return Ok(());
+  }
+
+  if TEAM_LOCK
+    .is_locked_by_another(&profile.id.to_string())
+    .await
+  {
+    if let Some(lock) = TEAM_LOCK.get_lock_status(&profile.id.to_string()).await {
+      return Err(format!("Profile is in use by {}", lock.locked_by_email));
+    }
+    return Err("Profile is in use by another team member".to_string());
+  }
+
+  TEAM_LOCK.acquire_lock(&profile.id.to_string()).await
+}
+
+/// Release team lock if profile is sync-enabled and user is on a team.
+/// Logs warnings on failure but does not return errors.
+pub async fn release_team_lock_if_needed(profile: &crate::profile::BrowserProfile) {
+  if !profile.is_sync_enabled() {
+    return;
+  }
+  if !CLOUD_AUTH.is_on_team_plan().await {
+    return;
+  }
+
+  if let Err(e) = TEAM_LOCK.release_lock(&profile.id.to_string()).await {
+    log::warn!(
+      "Failed to release team lock for profile {}: {e}",
+      profile.id
+    );
+  }
+}
+
+// --- Tauri commands ---
+
+#[tauri::command]
+pub async fn get_team_locks() -> Result<Vec<ProfileLockInfo>, String> {
+  Ok(TEAM_LOCK.get_locks().await)
+}
+
+#[tauri::command]
+pub async fn get_team_lock_status(profile_id: String) -> Result<Option<ProfileLockInfo>, String> {
+  Ok(TEAM_LOCK.get_lock_status(&profile_id).await)
+}
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
@@ -328,17 +327,8 @@ fn acquire_file_lock(lock_path: &PathBuf) -> Result<FileLockGuard, Box<dyn std::
  Ok(FileLockGuard { _file: file })
 }

-/// Get the traffic stats storage directory
 pub fn get_traffic_stats_dir() -> PathBuf {
-  let base_dirs = BaseDirs::new().expect("Failed to get base directories");
-  let mut path = base_dirs.cache_dir().to_path_buf();
-  path.push(if cfg!(debug_assertions) {
-    "DonutBrowserDev"
-  } else {
-    "DonutBrowser"
-  });
-  path.push("traffic_stats");
-  path
+  crate::app_dirs::cache_dir().join("traffic_stats")
 }

 /// Get the storage key for traffic stats (profile_id if available, otherwise proxy_id)
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
@@ -67,13 +66,7 @@ impl VersionUpdater {
  }

  fn get_cache_dir() -> Result<PathBuf, Box<dyn std::error::Error>> {
-    let base_dirs = BaseDirs::new().ok_or("Failed to get base directories")?;
-    let app_name = if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    };
-    let cache_dir = base_dirs.cache_dir().join(app_name).join("version_cache");
+    let cache_dir = crate::app_dirs::cache_dir().join("version_cache");
    fs::create_dir_all(&cache_dir)?;
    Ok(cache_dir)
  }
@@ -369,20 +362,15 @@ impl VersionUpdater {
      eprintln!("Failed to emit completion progress: {e}");
    }

-    // After all version updates are complete, trigger auto-update check
-    if total_new_versions > 0 {
-      println!(
-        "Found {total_new_versions} new versions across all browsers. Checking for auto-updates..."
-      );
-
-      // Trigger auto-update check which will automatically download browsers
-      self
-        .auto_updater
-        .check_for_updates_with_progress(app_handle)
-        .await;
-    } else {
-      println!("No new versions found, skipping auto-update check");
-    }
+    // Always check for auto-updates — profiles may still be on older versions
+    // even if no new versions were found in the cache this cycle
+    println!(
+      "Checking for browser auto-updates (found {total_new_versions} new versions in cache)..."
+    );
+    self
+      .auto_updater
+      .check_for_updates_with_progress(app_handle)
+      .await;

    Ok(results)
  }
@@ -52,6 +52,10 @@ pub struct VpnConfig {
  pub config_data: String, // Raw config content (encrypted at rest)
  pub created_at: i64,
  pub last_used: Option<i64>,
+  #[serde(default)]
+  pub sync_enabled: bool,
+  #[serde(default)]
+  pub last_sync: Option<u64>,
 }

 /// Parsed WireGuard configuration
@@ -7,6 +7,8 @@

 mod config;
 mod openvpn;
+pub mod openvpn_socks5;
+pub mod socks5_server;
 mod storage;
 mod tunnel;
 mod wireguard;
@@ -25,7 +27,3 @@ use std::sync::Mutex;

 /// Global VPN storage instance
 pub static VPN_STORAGE: Lazy<Mutex<VpnStorage>> = Lazy::new(|| Mutex::new(VpnStorage::new()));
-
-/// Global tunnel manager instance
-pub static TUNNEL_MANAGER: Lazy<tokio::sync::Mutex<TunnelManager>> =
-  Lazy::new(|| tokio::sync::Mutex::new(TunnelManager::new()));
@@ -73,7 +73,13 @@ impl OpenVpnTunnel {

    #[cfg(windows)]
    {
-      if let Ok(output) = Command::new("where").arg("openvpn").output() {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+      if let Ok(output) = Command::new("where")
+        .arg("openvpn")
+        .creation_flags(CREATE_NO_WINDOW)
+        .output()
+      {
        if output.status.success() {
          let path = String::from_utf8_lossy(&output.stdout)
            .lines()
@@ -0,0 +1,239 @@
+use super::config::{OpenVpnConfig, VpnError};
+use std::path::PathBuf;
+use std::process::{Command, Stdio};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::{TcpListener, TcpStream};
+
+pub struct OpenVpnSocks5Server {
+  config: OpenVpnConfig,
+  port: u16,
+}
+
+impl OpenVpnSocks5Server {
+  pub fn new(config: OpenVpnConfig, port: u16) -> Self {
+    Self { config, port }
+  }
+
+  fn find_openvpn_binary() -> Result<PathBuf, VpnError> {
+    let locations = [
+      "/usr/sbin/openvpn",
+      "/usr/local/sbin/openvpn",
+      "/opt/homebrew/bin/openvpn",
+      "/usr/bin/openvpn",
+      "C:\\Program Files\\OpenVPN\\bin\\openvpn.exe",
+      "C:\\Program Files (x86)\\OpenVPN\\bin\\openvpn.exe",
+    ];
+
+    for loc in &locations {
+      let path = PathBuf::from(loc);
+      if path.exists() {
+        return Ok(path);
+      }
+    }
+
+    #[cfg(unix)]
+    {
+      if let Ok(output) = Command::new("which").arg("openvpn").output() {
+        if output.status.success() {
+          let path = String::from_utf8_lossy(&output.stdout).trim().to_string();
+          if !path.is_empty() {
+            return Ok(PathBuf::from(path));
+          }
+        }
+      }
+    }
+
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+      if let Ok(output) = Command::new("where")
+        .arg("openvpn")
+        .creation_flags(CREATE_NO_WINDOW)
+        .output()
+      {
+        if output.status.success() {
+          let path = String::from_utf8_lossy(&output.stdout)
+            .lines()
+            .next()
+            .unwrap_or("")
+            .trim()
+            .to_string();
+          if !path.is_empty() {
+            return Ok(PathBuf::from(path));
+          }
+        }
+      }
+    }
+
+    Err(VpnError::Connection(
+      "OpenVPN binary not found. Please install OpenVPN.".to_string(),
+    ))
+  }
+
+  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
+    let openvpn_bin = Self::find_openvpn_binary()?;
+
+    // Write config to temp file
+    let config_path = std::env::temp_dir().join(format!("openvpn_{}.ovpn", config_id));
+    std::fs::write(&config_path, &self.config.raw_config).map_err(VpnError::Io)?;
+
+    #[cfg(unix)]
+    {
+      use std::os::unix::fs::PermissionsExt;
+      let _ = std::fs::set_permissions(&config_path, std::fs::Permissions::from_mode(0o600));
+    }
+
+    // Find a management port
+    let mgmt_listener = std::net::TcpListener::bind("127.0.0.1:0")
+      .map_err(|e| VpnError::Connection(format!("Failed to bind management port: {e}")))?;
+    let mgmt_port = mgmt_listener
+      .local_addr()
+      .map_err(|e| VpnError::Connection(format!("Failed to get management port: {e}")))?
+      .port();
+    drop(mgmt_listener);
+
+    // Start OpenVPN with SOCKS proxy mode
+    let mut cmd = Command::new(&openvpn_bin);
+    cmd
+      .arg("--config")
+      .arg(&config_path)
+      .arg("--management")
+      .arg("127.0.0.1")
+      .arg(mgmt_port.to_string())
+      .arg("--socks-proxy")
+      .arg("127.0.0.1")
+      .arg(self.port.to_string())
+      .arg("--verb")
+      .arg("3")
+      .stdout(Stdio::piped())
+      .stderr(Stdio::piped());
+
+    let mut child = cmd
+      .spawn()
+      .map_err(|e| VpnError::Connection(format!("Failed to start OpenVPN: {e}")))?;
+
+    // Wait for OpenVPN to start
+    tokio::time::sleep(tokio::time::Duration::from_secs(3)).await;
+
+    match child.try_wait() {
+      Ok(Some(status)) => {
+        let _ = std::fs::remove_file(&config_path);
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited early with status: {status}. OpenVPN requires elevated privileges (sudo/admin)."
+        )));
+      }
+      Ok(None) => {}
+      Err(e) => {
+        let _ = std::fs::remove_file(&config_path);
+        return Err(VpnError::Connection(format!(
+          "Failed to check OpenVPN status: {e}"
+        )));
+      }
+    }
+
+    // Start a basic SOCKS5 proxy that tunnels through the OpenVPN TUN interface
+    let listener = TcpListener::bind(format!("127.0.0.1:{}", self.port))
+      .await
+      .map_err(|e| VpnError::Connection(format!("Failed to bind SOCKS5: {e}")))?;
+
+    let actual_port = listener
+      .local_addr()
+      .map_err(|e| VpnError::Connection(format!("Failed to get local addr: {e}")))?
+      .port();
+
+    if let Some(mut wc) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
+      wc.local_port = Some(actual_port);
+      wc.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
+      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&wc);
+    }
+
+    log::info!(
+      "[vpn-worker] OpenVPN SOCKS5 server listening on 127.0.0.1:{}",
+      actual_port
+    );
+
+    loop {
+      match listener.accept().await {
+        Ok((client, _)) => {
+          tokio::spawn(Self::handle_socks5_client(client));
+        }
+        Err(e) => {
+          log::warn!("[vpn-worker] Accept error: {e}");
+        }
+      }
+    }
+  }
+
+  async fn handle_socks5_client(
+    mut client: TcpStream,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    // SOCKS5 greeting
+    let mut buf = [0u8; 256];
+    let n = client.read(&mut buf).await?;
+    if n < 3 || buf[0] != 0x05 {
+      return Ok(());
+    }
+    client.write_all(&[0x05, 0x00]).await?;
+
+    // SOCKS5 connect request
+    let n = client.read(&mut buf).await?;
+    if n < 10 || buf[0] != 0x05 || buf[1] != 0x01 {
+      return Ok(());
+    }
+
+    let dest_addr = match buf[3] {
+      0x01 => {
+        let ip = std::net::Ipv4Addr::new(buf[4], buf[5], buf[6], buf[7]);
+        let port = u16::from_be_bytes([buf[8], buf[9]]);
+        format!("{}:{}", ip, port)
+      }
+      0x03 => {
+        let domain_len = buf[4] as usize;
+        let domain = String::from_utf8_lossy(&buf[5..5 + domain_len]).to_string();
+        let port_start = 5 + domain_len;
+        let port = u16::from_be_bytes([buf[port_start], buf[port_start + 1]]);
+        format!("{}:{}", domain, port)
+      }
+      _ => return Ok(()),
+    };
+
+    // Connect to destination through OpenVPN tunnel (OS routing handles it)
+    match TcpStream::connect(&dest_addr).await {
+      Ok(upstream) => {
+        client
+          .write_all(&[0x05, 0x00, 0x00, 0x01, 127, 0, 0, 1, 0, 0])
+          .await?;
+
+        let (mut cr, mut cw) = client.into_split();
+        let (mut ur, mut uw) = upstream.into_split();
+
+        let c2u = tokio::io::copy(&mut cr, &mut uw);
+        let u2c = tokio::io::copy(&mut ur, &mut cw);
+
+        let _ = tokio::try_join!(c2u, u2c);
+      }
+      Err(_) => {
+        client
+          .write_all(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+          .await?;
+      }
+    }
+
+    Ok(())
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_find_openvpn_binary_format() {
+    let result = OpenVpnSocks5Server::find_openvpn_binary();
+    match result {
+      Ok(path) => assert!(!path.as_os_str().is_empty()),
+      Err(e) => assert!(e.to_string().contains("not found")),
+    }
+  }
+}
@@ -0,0 +1,656 @@
+use super::config::{VpnError, WireGuardConfig};
+use boringtun::noise::{Tunn, TunnResult};
+use boringtun::x25519::{PublicKey, StaticSecret};
+use smoltcp::iface::{Config as IfaceConfig, Interface, SocketHandle, SocketSet};
+use smoltcp::phy::{Device, DeviceCapabilities, Medium, RxToken, TxToken};
+use smoltcp::socket::tcp::{Socket as TcpSocket, SocketBuffer};
+use smoltcp::time::Instant as SmolInstant;
+use smoltcp::wire::{HardwareAddress, IpAddress, IpCidr, Ipv4Address};
+use std::collections::VecDeque;
+use std::net::{SocketAddr, ToSocketAddrs, UdpSocket};
+use std::sync::{Arc, Mutex};
+use tokio::net::{TcpListener, TcpStream};
+
+const SMOLTCP_TCP_RX_BUF: usize = 65536;
+const SMOLTCP_TCP_TX_BUF: usize = 65536;
+
+struct WgDevice {
+  tunn: Arc<Mutex<Box<Tunn>>>,
+  udp_socket: Arc<UdpSocket>,
+  peer_addr: SocketAddr,
+  rx_queue: VecDeque<Vec<u8>>,
+  tx_queue: VecDeque<Vec<u8>>,
+}
+
+impl WgDevice {
+  fn pump_wg_to_rx(&mut self) {
+    let mut recv_buf = vec![0u8; 2048];
+    loop {
+      match self.udp_socket.recv_from(&mut recv_buf) {
+        Ok((len, _)) => {
+          let mut dst = vec![0u8; 2048];
+          let mut tunn = self.tunn.lock().unwrap();
+          let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
+          match result {
+            TunnResult::WriteToTunnelV4(data, _) | TunnResult::WriteToTunnelV6(data, _) => {
+              self.rx_queue.push_back(data.to_vec());
+            }
+            TunnResult::WriteToNetwork(response) => {
+              let _ = self.udp_socket.send_to(response, self.peer_addr);
+            }
+            _ => {}
+          }
+        }
+        Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => break,
+        Err(_) => break,
+      }
+    }
+  }
+
+  fn flush_tx_queue(&mut self) {
+    while let Some(ip_packet) = self.tx_queue.pop_front() {
+      let mut dst = vec![0u8; ip_packet.len() + 256];
+      let mut tunn = self.tunn.lock().unwrap();
+      let result = tunn.encapsulate(&ip_packet, &mut dst);
+      if let TunnResult::WriteToNetwork(packet) = result {
+        let _ = self.udp_socket.send_to(packet, self.peer_addr);
+      }
+    }
+  }
+
+  fn tick_timers(&mut self) {
+    let mut dst = vec![0u8; 2048];
+    let mut tunn = self.tunn.lock().unwrap();
+    let result = tunn.update_timers(&mut dst);
+    if let TunnResult::WriteToNetwork(packet) = result {
+      let _ = self.udp_socket.send_to(packet, self.peer_addr);
+    }
+  }
+}
+
+struct WgRxToken {
+  data: Vec<u8>,
+}
+
+impl RxToken for WgRxToken {
+  fn consume<R, F>(mut self, f: F) -> R
+  where
+    F: FnOnce(&mut [u8]) -> R,
+  {
+    f(&mut self.data)
+  }
+}
+
+struct WgTxToken<'a> {
+  tx_queue: &'a mut VecDeque<Vec<u8>>,
+}
+
+impl<'a> TxToken for WgTxToken<'a> {
+  fn consume<R, F>(self, len: usize, f: F) -> R
+  where
+    F: FnOnce(&mut [u8]) -> R,
+  {
+    let mut buf = vec![0u8; len];
+    let result = f(&mut buf);
+    self.tx_queue.push_back(buf);
+    result
+  }
+}
+
+impl Device for WgDevice {
+  type RxToken<'a> = WgRxToken;
+  type TxToken<'a> = WgTxToken<'a>;
+
+  fn receive(&mut self, _timestamp: SmolInstant) -> Option<(Self::RxToken<'_>, Self::TxToken<'_>)> {
+    if let Some(data) = self.rx_queue.pop_front() {
+      Some((
+        WgRxToken { data },
+        WgTxToken {
+          tx_queue: &mut self.tx_queue,
+        },
+      ))
+    } else {
+      None
+    }
+  }
+
+  fn transmit(&mut self, _timestamp: SmolInstant) -> Option<Self::TxToken<'_>> {
+    Some(WgTxToken {
+      tx_queue: &mut self.tx_queue,
+    })
+  }
+
+  fn capabilities(&self) -> DeviceCapabilities {
+    let mut caps = DeviceCapabilities::default();
+    caps.medium = Medium::Ip;
+    caps.max_transmission_unit = 1420;
+    caps
+  }
+}
+
+fn parse_key(key: &str) -> Result<[u8; 32], VpnError> {
+  let decoded = base64::Engine::decode(&base64::engine::general_purpose::STANDARD, key)
+    .map_err(|e| VpnError::InvalidWireGuard(format!("Invalid key encoding: {e}")))?;
+  if decoded.len() != 32 {
+    return Err(VpnError::InvalidWireGuard(format!(
+      "Invalid key length: {} (expected 32)",
+      decoded.len()
+    )));
+  }
+  let mut key_bytes = [0u8; 32];
+  key_bytes.copy_from_slice(&decoded);
+  Ok(key_bytes)
+}
+
+fn parse_cidr_address(addr: &str) -> Result<(IpCidr, IpAddress), VpnError> {
+  let first_addr = addr.split(',').next().unwrap_or(addr).trim();
+
+  let parts: Vec<&str> = first_addr.split('/').collect();
+  let ip_str = parts[0];
+  let prefix = if parts.len() > 1 {
+    parts[1]
+      .parse::<u8>()
+      .map_err(|_| VpnError::InvalidWireGuard(format!("Invalid prefix length: {}", parts[1])))?
+  } else {
+    32
+  };
+
+  let ip: std::net::IpAddr = ip_str
+    .parse()
+    .map_err(|_| VpnError::InvalidWireGuard(format!("Invalid IP address: {ip_str}")))?;
+
+  match ip {
+    std::net::IpAddr::V4(v4) => {
+      let smol_ip = Ipv4Address::new(
+        v4.octets()[0],
+        v4.octets()[1],
+        v4.octets()[2],
+        v4.octets()[3],
+      );
+      Ok((
+        IpCidr::new(IpAddress::Ipv4(smol_ip), prefix),
+        IpAddress::Ipv4(smol_ip),
+      ))
+    }
+    std::net::IpAddr::V6(v6) => {
+      let smol_ip = smoltcp::wire::Ipv6Address::from_bytes(&v6.octets());
+      Ok((
+        IpCidr::new(IpAddress::Ipv6(smol_ip), prefix),
+        IpAddress::Ipv6(smol_ip),
+      ))
+    }
+  }
+}
+
+pub struct WireGuardSocks5Server {
+  config: WireGuardConfig,
+  port: u16,
+}
+
+impl WireGuardSocks5Server {
+  pub fn new(config: WireGuardConfig, port: u16) -> Self {
+    Self { config, port }
+  }
+
+  fn create_tunnel(&self) -> Result<Box<Tunn>, VpnError> {
+    let private_key_bytes = parse_key(&self.config.private_key)?;
+    let static_private = StaticSecret::from(private_key_bytes);
+
+    let peer_public_bytes = parse_key(&self.config.peer_public_key)?;
+    let peer_public = PublicKey::from(peer_public_bytes);
+
+    let preshared_key = if let Some(ref psk) = self.config.preshared_key {
+      Some(parse_key(psk)?)
+    } else {
+      None
+    };
+
+    Ok(Box::new(Tunn::new(
+      static_private,
+      peer_public,
+      preshared_key,
+      self.config.persistent_keepalive,
+      0,
+      None,
+    )))
+  }
+
+  fn resolve_endpoint(&self) -> Result<SocketAddr, VpnError> {
+    self
+      .config
+      .peer_endpoint
+      .to_socket_addrs()
+      .map_err(|e| {
+        VpnError::Connection(format!(
+          "Failed to resolve endpoint '{}': {e}",
+          self.config.peer_endpoint
+        ))
+      })?
+      .next()
+      .ok_or_else(|| {
+        VpnError::Connection(format!(
+          "No addresses found for endpoint: {}",
+          self.config.peer_endpoint
+        ))
+      })
+  }
+
+  fn do_handshake(
+    tunn: &mut Tunn,
+    socket: &UdpSocket,
+    peer_addr: SocketAddr,
+  ) -> Result<(), VpnError> {
+    let mut dst = vec![0u8; 2048];
+    let result = tunn.format_handshake_initiation(&mut dst, false);
+
+    match result {
+      TunnResult::WriteToNetwork(packet) => {
+        socket
+          .send_to(packet, peer_addr)
+          .map_err(|e| VpnError::Connection(format!("Failed to send handshake: {e}")))?;
+      }
+      TunnResult::Err(e) => {
+        return Err(VpnError::Tunnel(format!(
+          "Handshake initiation failed: {e:?}"
+        )));
+      }
+      _ => {}
+    }
+
+    socket
+      .set_read_timeout(Some(std::time::Duration::from_secs(10)))
+      .map_err(|e| VpnError::Connection(format!("Failed to set timeout: {e}")))?;
+
+    let mut recv_buf = vec![0u8; 2048];
+    match socket.recv_from(&mut recv_buf) {
+      Ok((len, _)) => {
+        let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
+        match result {
+          TunnResult::WriteToNetwork(response) => {
+            socket
+              .send_to(response, peer_addr)
+              .map_err(|e| VpnError::Connection(format!("Failed to send response: {e}")))?;
+          }
+          TunnResult::Done => {}
+          TunnResult::Err(e) => {
+            return Err(VpnError::Tunnel(format!(
+              "Handshake response failed: {e:?}"
+            )));
+          }
+          _ => {}
+        }
+      }
+      Err(e) => {
+        return Err(VpnError::Connection(format!(
+          "Handshake timeout or error: {e}"
+        )));
+      }
+    }
+
+    socket
+      .set_read_timeout(None)
+      .map_err(|e| VpnError::Connection(format!("Failed to clear timeout: {e}")))?;
+
+    Ok(())
+  }
+
+  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
+    let peer_addr = self.resolve_endpoint()?;
+    let mut tunn = self.create_tunnel()?;
+
+    let udp_socket = UdpSocket::bind("0.0.0.0:0")
+      .map_err(|e| VpnError::Connection(format!("Failed to create UDP socket: {e}")))?;
+
+    Self::do_handshake(&mut tunn, &udp_socket, peer_addr)?;
+
+    udp_socket
+      .set_nonblocking(true)
+      .map_err(|e| VpnError::Connection(format!("Failed to set non-blocking: {e}")))?;
+
+    log::info!("[vpn-worker] WireGuard handshake completed");
+
+    let (cidr, local_ip) = parse_cidr_address(&self.config.address)?;
+
+    let tunn_arc = Arc::new(Mutex::new(tunn));
+    let udp_arc = Arc::new(udp_socket);
+
+    let mut device = WgDevice {
+      tunn: tunn_arc.clone(),
+      udp_socket: udp_arc.clone(),
+      peer_addr,
+      rx_queue: VecDeque::new(),
+      tx_queue: VecDeque::new(),
+    };
+
+    let iface_config = IfaceConfig::new(HardwareAddress::Ip);
+    let mut iface = Interface::new(iface_config, &mut device, SmolInstant::now());
+    iface.update_ip_addrs(|addrs| {
+      let _ = addrs.push(cidr);
+    });
+
+    // Set default gateway
+    match local_ip {
+      IpAddress::Ipv4(v4) => {
+        let octets = v4.as_bytes();
+        let gw = Ipv4Address::new(octets[0], octets[1], octets[2], 1);
+        iface
+          .routes_mut()
+          .add_default_ipv4_route(gw)
+          .map_err(|e| VpnError::Tunnel(format!("Failed to add default route: {e}")))?;
+      }
+      IpAddress::Ipv6(_) => {
+        // IPv6 routing not yet implemented
+      }
+    }
+
+    let listener = TcpListener::bind(format!("127.0.0.1:{}", self.port))
+      .await
+      .map_err(|e| VpnError::Connection(format!("Failed to bind SOCKS5 listener: {e}")))?;
+
+    let actual_port = listener
+      .local_addr()
+      .map_err(|e| VpnError::Connection(format!("Failed to get local addr: {e}")))?
+      .port();
+
+    // Update config with actual port and local_url
+    if let Some(mut wc) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
+      wc.local_port = Some(actual_port);
+      wc.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
+      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&wc);
+    }
+
+    log::info!(
+      "[vpn-worker] SOCKS5 server listening on 127.0.0.1:{}",
+      actual_port
+    );
+
+    let mut sockets = SocketSet::new(vec![]);
+
+    struct Connection {
+      smol_handle: SocketHandle,
+      tcp_stream: TcpStream,
+      socks_done: bool,
+      read_buf: Vec<u8>,
+      dest_addr: Option<SocketAddr>,
+    }
+
+    let mut connections: Vec<Connection> = Vec::new();
+    let mut timer_counter: u64 = 0;
+
+    loop {
+      // Accept new SOCKS5 connections (non-blocking via short timeout)
+      if let Ok(Ok((stream, _addr))) =
+        tokio::time::timeout(tokio::time::Duration::from_millis(1), listener.accept()).await
+      {
+        let tcp_rx = SocketBuffer::new(vec![0u8; SMOLTCP_TCP_RX_BUF]);
+        let tcp_tx = SocketBuffer::new(vec![0u8; SMOLTCP_TCP_TX_BUF]);
+        let tcp_socket = TcpSocket::new(tcp_rx, tcp_tx);
+        let handle = sockets.add(tcp_socket);
+
+        connections.push(Connection {
+          smol_handle: handle,
+          tcp_stream: stream,
+          socks_done: false,
+          read_buf: Vec::new(),
+          dest_addr: None,
+        });
+      }
+
+      // Pump WireGuard packets into smoltcp rx queue
+      device.pump_wg_to_rx();
+
+      // Poll the smoltcp interface
+      let timestamp = SmolInstant::now();
+      let _changed = iface.poll(timestamp, &mut device, &mut sockets);
+
+      // Flush encrypted packets out through WireGuard
+      device.flush_tx_queue();
+
+      // Process each connection
+      let mut completed = Vec::new();
+      for (idx, conn) in connections.iter_mut().enumerate() {
+        if !conn.socks_done {
+          // Handle SOCKS5 handshake
+          let mut buf = [0u8; 512];
+          match conn.tcp_stream.try_read(&mut buf) {
+            Ok(0) => {
+              completed.push(idx);
+              continue;
+            }
+            Ok(n) => {
+              conn.read_buf.extend_from_slice(&buf[..n]);
+            }
+            Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => {}
+            Err(_) => {
+              completed.push(idx);
+              continue;
+            }
+          }
+
+          if conn.dest_addr.is_none() && conn.read_buf.len() >= 3 {
+            // SOCKS5 greeting: version, nmethods, methods
+            if conn.read_buf[0] != 0x05 {
+              completed.push(idx);
+              continue;
+            }
+            // Reply: no auth required
+            let _ = conn.tcp_stream.try_write(&[0x05, 0x00]);
+            let nmethods = conn.read_buf[1] as usize;
+            conn.read_buf.drain(..2 + nmethods);
+          }
+
+          if conn.dest_addr.is_none() && conn.read_buf.len() >= 10 {
+            // SOCKS5 connect request
+            if conn.read_buf[0] != 0x05 || conn.read_buf[1] != 0x01 {
+              completed.push(idx);
+              continue;
+            }
+
+            let (addr, addr_len) = match conn.read_buf[3] {
+              0x01 => {
+                // IPv4
+                if conn.read_buf.len() < 10 {
+                  continue;
+                }
+                let ip = std::net::Ipv4Addr::new(
+                  conn.read_buf[4],
+                  conn.read_buf[5],
+                  conn.read_buf[6],
+                  conn.read_buf[7],
+                );
+                let port = u16::from_be_bytes([conn.read_buf[8], conn.read_buf[9]]);
+                (SocketAddr::new(std::net::IpAddr::V4(ip), port), 10)
+              }
+              0x03 => {
+                // Domain name
+                let domain_len = conn.read_buf[4] as usize;
+                let needed = 4 + 1 + domain_len + 2;
+                if conn.read_buf.len() < needed {
+                  continue;
+                }
+                let domain = String::from_utf8_lossy(&conn.read_buf[5..5 + domain_len]).to_string();
+                let port_start = 5 + domain_len;
+                let port =
+                  u16::from_be_bytes([conn.read_buf[port_start], conn.read_buf[port_start + 1]]);
+                // Resolve domain
+                match format!("{}:{}", domain, port).to_socket_addrs() {
+                  Ok(mut addrs) => {
+                    if let Some(addr) = addrs.next() {
+                      (addr, needed)
+                    } else {
+                      // Send SOCKS5 error: host unreachable
+                      let _ = conn
+                        .tcp_stream
+                        .try_write(&[0x05, 0x04, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
+                      completed.push(idx);
+                      continue;
+                    }
+                  }
+                  Err(_) => {
+                    let _ = conn
+                      .tcp_stream
+                      .try_write(&[0x05, 0x04, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
+                    completed.push(idx);
+                    continue;
+                  }
+                }
+              }
+              0x04 => {
+                // IPv6
+                if conn.read_buf.len() < 22 {
+                  continue;
+                }
+                let mut octets = [0u8; 16];
+                octets.copy_from_slice(&conn.read_buf[4..20]);
+                let ip = std::net::Ipv6Addr::from(octets);
+                let port = u16::from_be_bytes([conn.read_buf[20], conn.read_buf[21]]);
+                (SocketAddr::new(std::net::IpAddr::V6(ip), port), 22)
+              }
+              _ => {
+                completed.push(idx);
+                continue;
+              }
+            };
+
+            conn.read_buf.drain(..addr_len);
+            conn.dest_addr = Some(addr);
+
+            // Open smoltcp TCP socket to the destination
+            let socket = sockets.get_mut::<TcpSocket>(conn.smol_handle);
+            let smol_addr = match addr.ip() {
+              std::net::IpAddr::V4(v4) => {
+                let o = v4.octets();
+                IpAddress::Ipv4(Ipv4Address::new(o[0], o[1], o[2], o[3]))
+              }
+              std::net::IpAddr::V6(v6) => {
+                IpAddress::Ipv6(smoltcp::wire::Ipv6Address::from_bytes(&v6.octets()))
+              }
+            };
+
+            let local_port = 10000 + (rand::random::<u16>() % 50000);
+            if socket
+              .connect(iface.context(), (smol_addr, addr.port()), local_port)
+              .is_err()
+            {
+              let _ = conn
+                .tcp_stream
+                .try_write(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
+              completed.push(idx);
+              continue;
+            }
+
+            // Send SOCKS5 success reply
+            let _ = conn.tcp_stream.try_write(&[
+              0x05,
+              0x00,
+              0x00,
+              0x01,
+              127,
+              0,
+              0,
+              1,
+              (actual_port >> 8) as u8,
+              (actual_port & 0xff) as u8,
+            ]);
+            conn.socks_done = true;
+          }
+        } else {
+          // Data relay between SOCKS5 client and smoltcp socket
+          let socket = sockets.get_mut::<TcpSocket>(conn.smol_handle);
+
+          // Client → smoltcp
+          let mut buf = [0u8; 4096];
+          match conn.tcp_stream.try_read(&mut buf) {
+            Ok(0) => {
+              socket.close();
+              completed.push(idx);
+              continue;
+            }
+            Ok(n) => {
+              if socket.can_send() {
+                let _ = socket.send_slice(&buf[..n]);
+              }
+            }
+            Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => {}
+            Err(_) => {
+              socket.close();
+              completed.push(idx);
+              continue;
+            }
+          }
+
+          // smoltcp → Client
+          if socket.can_recv() {
+            match socket.recv(|data| (data.len(), data.to_vec())) {
+              Ok(data) if !data.is_empty() => {
+                if conn.tcp_stream.try_write(&data).is_err() {
+                  socket.close();
+                  completed.push(idx);
+                  continue;
+                }
+              }
+              _ => {}
+            }
+          }
+
+          // Check if smoltcp socket closed
+          if !socket.is_open() && !socket.is_active() {
+            completed.push(idx);
+          }
+        }
+      }
+
+      // Remove completed connections (in reverse order)
+      completed.sort_unstable();
+      completed.dedup();
+      for idx in completed.into_iter().rev() {
+        let conn = connections.remove(idx);
+        sockets.remove(conn.smol_handle);
+      }
+
+      // Timer ticks for WireGuard keepalives
+      timer_counter += 1;
+      if timer_counter.is_multiple_of(500) {
+        device.tick_timers();
+      }
+
+      // Small sleep to avoid busy-spinning
+      tokio::time::sleep(tokio::time::Duration::from_millis(1)).await;
+    }
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_parse_cidr_ipv4() {
+    let (cidr, ip) = parse_cidr_address("10.0.0.2/24").unwrap();
+    assert_eq!(cidr.prefix_len(), 24);
+    assert_eq!(ip, IpAddress::Ipv4(Ipv4Address::new(10, 0, 0, 2)));
+  }
+
+  #[test]
+  fn test_parse_cidr_no_prefix() {
+    let (cidr, _) = parse_cidr_address("10.0.0.2").unwrap();
+    assert_eq!(cidr.prefix_len(), 32);
+  }
+
+  #[test]
+  fn test_parse_cidr_multi_address() {
+    let (_, ip) = parse_cidr_address("10.0.0.2/24, fd00::2/128").unwrap();
+    assert_eq!(ip, IpAddress::Ipv4(Ipv4Address::new(10, 0, 0, 2)));
+  }
+
+  #[test]
+  fn test_parse_key_valid() {
+    let key = "YEocP0e2o1WT5GlvBvQzVF7EeR6z9aCk+ZdZ5NKEuXA=";
+    assert!(parse_key(key).is_ok());
+  }
+
+  #[test]
+  fn test_parse_key_invalid() {
+    assert!(parse_key("not-valid").is_err());
+  }
+}
@@ -32,6 +32,10 @@ struct StoredVpnConfig {
  nonce: String,          // Base64 encoded nonce
  created_at: i64,
  last_used: Option<i64>,
+  #[serde(default)]
+  sync_enabled: bool,
+  #[serde(default)]
+  last_sync: Option<u64>,
 }

 /// VPN storage manager with encryption
@@ -93,22 +97,17 @@ impl VpnStorage {

  /// Get the storage file path
  fn get_storage_path() -> PathBuf {
-    let data_dir = directories::ProjectDirs::from("com", "donut", "donutbrowser")
-      .map(|dirs| dirs.data_local_dir().to_path_buf())
-      .unwrap_or_else(|| PathBuf::from("."));
-
-    if !data_dir.exists() {
-      let _ = fs::create_dir_all(&data_dir);
+    let vpn_dir = crate::app_dirs::vpn_dir();
+    if !vpn_dir.exists() {
+      let _ = fs::create_dir_all(&vpn_dir);
    }
-
-    data_dir.join("vpn_configs.json")
+    Self::migrate_from_old_location(&vpn_dir);
+    vpn_dir.join("vpn_configs.json")
  }

  /// Get or create the encryption key
  fn get_or_create_key() -> [u8; 32] {
-    let key_path = directories::ProjectDirs::from("com", "donut", "donutbrowser")
-      .map(|dirs| dirs.data_local_dir().join(".vpn_key"))
-      .unwrap_or_else(|| PathBuf::from(".vpn_key"));
+    let key_path = crate::app_dirs::vpn_dir().join(".vpn_key");

    if key_path.exists() {
      if let Ok(key_data) = fs::read(&key_path) {
@@ -134,6 +133,22 @@ impl VpnStorage {
    key
  }

+  /// Migrate VPN configs from the old ProjectDirs location to the new app_dirs location.
+  fn migrate_from_old_location(new_dir: &std::path::Path) {
+    let old_dir = match directories::ProjectDirs::from("com", "donut", "donutbrowser") {
+      Some(dirs) => dirs.data_local_dir().to_path_buf(),
+      None => return,
+    };
+
+    for filename in &["vpn_configs.json", ".vpn_key"] {
+      let old_path = old_dir.join(filename);
+      let new_path = new_dir.join(filename);
+      if old_path.exists() && !new_path.exists() {
+        let _ = fs::copy(&old_path, &new_path);
+      }
+    }
+  }
+
  /// Load storage data from disk
  fn load_storage(&self) -> Result<VpnStorageData, VpnError> {
    if !self.storage_path.exists() {
@@ -220,6 +235,8 @@ impl VpnStorage {
      nonce,
      created_at: config.created_at,
      last_used: config.last_used,
+      sync_enabled: config.sync_enabled,
+      last_sync: config.last_sync,
    };

    // Update existing or add new
@@ -251,6 +268,8 @@ impl VpnStorage {
      config_data,
      created_at: stored.created_at,
      last_used: stored.last_used,
+      sync_enabled: stored.sync_enabled,
+      last_sync: stored.last_sync,
    })
  }

@@ -269,6 +288,8 @@ impl VpnStorage {
          config_data: String::new(), // Don't include config data in list
          created_at: stored.created_at,
          last_used: stored.last_used,
+          sync_enabled: stored.sync_enabled,
+          last_sync: stored.last_sync,
        })
        .collect(),
    )
@@ -300,6 +321,68 @@ impl VpnStorage {
    }
  }

+  /// Create a VPN config manually from validated data
+  pub fn create_config_manual(
+    &self,
+    name: &str,
+    vpn_type: VpnType,
+    config_data: &str,
+  ) -> Result<VpnConfig, VpnError> {
+    // Validate the config by parsing it
+    match vpn_type {
+      VpnType::WireGuard => {
+        super::parse_wireguard_config(config_data)?;
+      }
+      VpnType::OpenVPN => {
+        super::parse_openvpn_config(config_data)?;
+      }
+    }
+
+    let id = Uuid::new_v4().to_string();
+    let sync_enabled = crate::sync::is_sync_configured();
+
+    let config = VpnConfig {
+      id,
+      name: name.to_string(),
+      vpn_type,
+      config_data: config_data.to_string(),
+      created_at: Utc::now().timestamp(),
+      last_used: None,
+      sync_enabled,
+      last_sync: None,
+    };
+
+    self.save_config(&config)?;
+
+    Ok(config)
+  }
+
+  /// Update the name of an existing VPN config
+  pub fn update_config_name(&self, id: &str, new_name: &str) -> Result<VpnConfig, VpnError> {
+    let mut config = self.load_config(id)?;
+    config.name = new_name.to_string();
+    self.save_config(&config)?;
+    Ok(config)
+  }
+
+  /// Update sync fields on a VPN config
+  pub fn update_sync_fields(
+    &self,
+    id: &str,
+    sync_enabled: bool,
+    last_sync: Option<u64>,
+  ) -> Result<(), VpnError> {
+    let mut storage = self.load_storage()?;
+
+    if let Some(config) = storage.configs.iter_mut().find(|c| c.id == id) {
+      config.sync_enabled = sync_enabled;
+      config.last_sync = last_sync;
+      self.save_storage(&storage)
+    } else {
+      Err(VpnError::NotFound(id.to_string()))
+    }
+  }
+
  /// Import a VPN config from raw content
  pub fn import_config(
    &self,
@@ -325,6 +408,7 @@ impl VpnStorage {
      let base = filename.trim_end_matches(".conf").trim_end_matches(".ovpn");
      format!("{} ({})", base, vpn_type)
    });
+    let sync_enabled = crate::sync::is_sync_configured();

    let config = VpnConfig {
      id,
@@ -333,6 +417,8 @@ impl VpnStorage {
      config_data: content.to_string(),
      created_at: Utc::now().timestamp(),
      last_used: None,
+      sync_enabled,
+      last_sync: None,
    };

    self.save_config(&config)?;
@@ -348,8 +434,7 @@ mod tests {

  fn create_test_storage() -> (VpnStorage, TempDir) {
    let temp_dir = TempDir::new().unwrap();
-    let mut storage = VpnStorage::new();
-    storage.storage_path = temp_dir.path().join("test_vpn_configs.json");
+    let storage = VpnStorage::with_dir(temp_dir.path());
    (storage, temp_dir)
  }

@@ -375,6 +460,8 @@ mod tests {
      config_data: "[Interface]\nPrivateKey = test\n[Peer]\nPublicKey = peer".to_string(),
      created_at: 1234567890,
      last_used: None,
+      sync_enabled: false,
+      last_sync: None,
    };

    storage.save_config(&config).unwrap();
@@ -397,6 +484,8 @@ mod tests {
      config_data: "secret1".to_string(),
      created_at: 1000,
      last_used: None,
+      sync_enabled: false,
+      last_sync: None,
    };

    let config2 = VpnConfig {
@@ -406,6 +495,8 @@ mod tests {
      config_data: "secret2".to_string(),
      created_at: 2000,
      last_used: Some(3000),
+      sync_enabled: false,
+      last_sync: None,
    };

    storage.save_config(&config1).unwrap();
@@ -430,6 +521,8 @@ mod tests {
      config_data: "data".to_string(),
      created_at: 1000,
      last_used: None,
+      sync_enabled: false,
+      last_sync: None,
    };

    storage.save_config(&config).unwrap();
@@ -0,0 +1,248 @@
+use crate::proxy_storage::is_process_running;
+use crate::vpn_worker_storage::{
+  delete_vpn_worker_config, find_vpn_worker_by_vpn_id, generate_vpn_worker_id,
+  get_vpn_worker_config, list_vpn_worker_configs, save_vpn_worker_config, VpnWorkerConfig,
+};
+use std::process::Stdio;
+
+pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn std::error::Error>> {
+  // Check if a VPN worker for this vpn_id already exists and is running
+  if let Some(existing) = find_vpn_worker_by_vpn_id(vpn_id) {
+    if let Some(pid) = existing.pid {
+      if is_process_running(pid) {
+        return Ok(existing);
+      }
+    }
+    // Worker config exists but process is dead, clean up
+    delete_vpn_worker_config(&existing.id);
+  }
+
+  // Load VPN config from storage to determine type
+  let vpn_config = {
+    let storage = crate::vpn::VPN_STORAGE
+      .lock()
+      .map_err(|e| format!("Failed to lock VPN storage: {e}"))?;
+    storage
+      .load_config(vpn_id)
+      .map_err(|e| format!("Failed to load VPN config: {e}"))?
+  };
+
+  let vpn_type_str = match vpn_config.vpn_type {
+    crate::vpn::VpnType::WireGuard => "wireguard",
+    crate::vpn::VpnType::OpenVPN => "openvpn",
+  };
+
+  // Write decrypted config to a temp file
+  let config_file_path = std::env::temp_dir()
+    .join(format!("donut_vpn_{}.conf", vpn_id))
+    .to_string_lossy()
+    .to_string();
+
+  std::fs::write(&config_file_path, &vpn_config.config_data)?;
+
+  #[cfg(unix)]
+  {
+    use std::os::unix::fs::PermissionsExt;
+    let _ = std::fs::set_permissions(&config_file_path, std::fs::Permissions::from_mode(0o600));
+  }
+
+  let id = generate_vpn_worker_id();
+
+  // Find an available port
+  let local_port = {
+    let listener = std::net::TcpListener::bind("127.0.0.1:0")?;
+    listener.local_addr()?.port()
+  };
+
+  let config = VpnWorkerConfig::new(
+    id.clone(),
+    vpn_id.to_string(),
+    vpn_type_str.to_string(),
+    config_file_path,
+  );
+  save_vpn_worker_config(&config)?;
+
+  // Spawn detached VPN worker process
+  let exe = std::env::current_exe()?;
+
+  #[cfg(unix)]
+  {
+    use std::os::unix::process::CommandExt;
+    use std::process::Command as StdCommand;
+
+    let mut cmd = StdCommand::new(&exe);
+    cmd.arg("vpn-worker");
+    cmd.arg("start");
+    cmd.arg("--id");
+    cmd.arg(&id);
+    cmd.arg("--port");
+    cmd.arg(local_port.to_string());
+
+    cmd.stdin(Stdio::null());
+    cmd.stdout(Stdio::null());
+
+    let log_path = std::env::temp_dir().join(format!("donut-vpn-{}.log", id));
+    if let Ok(file) = std::fs::File::create(&log_path) {
+      log::info!("VPN worker stderr will be logged to: {:?}", log_path);
+      cmd.stderr(Stdio::from(file));
+    } else {
+      cmd.stderr(Stdio::null());
+    }
+
+    unsafe {
+      cmd.pre_exec(|| {
+        libc::setsid();
+        if libc::setpriority(libc::PRIO_PROCESS, 0, -10) != 0 {
+          let _ = libc::setpriority(libc::PRIO_PROCESS, 0, -5);
+        }
+        Ok(())
+      });
+    }
+
+    let child = cmd.spawn()?;
+    let pid = child.id();
+
+    let mut config_with_pid = config.clone();
+    config_with_pid.pid = Some(pid);
+    config_with_pid.local_port = Some(local_port);
+    save_vpn_worker_config(&config_with_pid)?;
+
+    drop(child);
+  }
+
+  #[cfg(windows)]
+  {
+    use std::os::windows::process::CommandExt;
+    use std::process::Command as StdCommand;
+
+    let mut cmd = StdCommand::new(&exe);
+    cmd.arg("vpn-worker");
+    cmd.arg("start");
+    cmd.arg("--id");
+    cmd.arg(&id);
+    cmd.arg("--port");
+    cmd.arg(local_port.to_string());
+
+    cmd.stdin(Stdio::null());
+    cmd.stdout(Stdio::null());
+
+    let log_path = std::env::temp_dir().join(format!("donut-vpn-{}.log", id));
+    if let Ok(file) = std::fs::File::create(&log_path) {
+      log::info!("VPN worker stderr will be logged to: {:?}", log_path);
+      cmd.stderr(Stdio::from(file));
+    } else {
+      cmd.stderr(Stdio::null());
+    }
+
+    const DETACHED_PROCESS: u32 = 0x00000008;
+    const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
+    cmd.creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP);
+
+    let child = cmd.spawn()?;
+    let pid = child.id();
+
+    let mut config_with_pid = config.clone();
+    config_with_pid.pid = Some(pid);
+    config_with_pid.local_port = Some(local_port);
+    save_vpn_worker_config(&config_with_pid)?;
+
+    drop(child);
+  }
+
+  // Wait for the worker to update config with local_url
+  tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+
+  let mut attempts = 0;
+  let max_attempts = 100; // 10 seconds max
+
+  loop {
+    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+
+    if let Some(updated_config) = get_vpn_worker_config(&id) {
+      if let Some(ref local_url) = updated_config.local_url {
+        if !local_url.is_empty() {
+          if let Some(port) = updated_config.local_port {
+            if let Ok(Ok(_)) = tokio::time::timeout(
+              tokio::time::Duration::from_millis(100),
+              tokio::net::TcpStream::connect(("127.0.0.1", port)),
+            )
+            .await
+            {
+              return Ok(updated_config);
+            }
+          }
+        }
+      }
+    }
+
+    attempts += 1;
+    if attempts >= max_attempts {
+      if let Some(config) = get_vpn_worker_config(&id) {
+        let process_running = config.pid.map(is_process_running).unwrap_or(false);
+        // Clean up on failure
+        delete_vpn_worker_config(&id);
+        return Err(
+          format!(
+            "VPN worker failed to start in time. pid={:?}, process_running={}, local_url={:?}",
+            config.pid, process_running, config.local_url
+          )
+          .into(),
+        );
+      }
+      delete_vpn_worker_config(&id);
+      return Err("VPN worker config not found after spawn".into());
+    }
+  }
+}
+
+pub async fn stop_vpn_worker(id: &str) -> Result<bool, Box<dyn std::error::Error>> {
+  let config = get_vpn_worker_config(id);
+
+  if let Some(config) = config {
+    if let Some(pid) = config.pid {
+      #[cfg(unix)]
+      {
+        use std::process::Command;
+        let _ = Command::new("kill")
+          .arg("-TERM")
+          .arg(pid.to_string())
+          .output();
+      }
+      #[cfg(windows)]
+      {
+        use std::os::windows::process::CommandExt;
+        use std::process::Command;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
+        let _ = Command::new("taskkill")
+          .args(["/F", "/PID", &pid.to_string()])
+          .creation_flags(CREATE_NO_WINDOW)
+          .output();
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+    }
+
+    // Clean up temp config file
+    let _ = std::fs::remove_file(&config.config_file_path);
+
+    delete_vpn_worker_config(id);
+    return Ok(true);
+  }
+
+  Ok(false)
+}
+
+pub async fn stop_vpn_worker_by_vpn_id(vpn_id: &str) -> Result<bool, Box<dyn std::error::Error>> {
+  if let Some(config) = find_vpn_worker_by_vpn_id(vpn_id) {
+    return stop_vpn_worker(&config.id).await;
+  }
+  Ok(false)
+}
+
+pub async fn stop_all_vpn_workers() -> Result<(), Box<dyn std::error::Error>> {
+  let configs = list_vpn_worker_configs();
+  for config in configs {
+    let _ = stop_vpn_worker(&config.id).await;
+  }
+  Ok(())
+}
@@ -0,0 +1,107 @@
+use crate::proxy_storage::get_storage_dir;
+use serde::{Deserialize, Serialize};
+use std::fs;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct VpnWorkerConfig {
+  pub id: String,
+  pub vpn_id: String,
+  pub vpn_type: String,
+  pub config_file_path: String,
+  pub local_port: Option<u16>,
+  pub local_url: Option<String>,
+  pub pid: Option<u32>,
+}
+
+impl VpnWorkerConfig {
+  pub fn new(id: String, vpn_id: String, vpn_type: String, config_file_path: String) -> Self {
+    Self {
+      id,
+      vpn_id,
+      vpn_type,
+      config_file_path,
+      local_port: None,
+      local_url: None,
+      pid: None,
+    }
+  }
+}
+
+pub fn save_vpn_worker_config(config: &VpnWorkerConfig) -> Result<(), Box<dyn std::error::Error>> {
+  let storage_dir = get_storage_dir();
+  fs::create_dir_all(&storage_dir)?;
+
+  let file_path = storage_dir.join(format!("vpn_worker_{}.json", config.id));
+  let content = serde_json::to_string_pretty(config)?;
+  fs::write(&file_path, content)?;
+
+  Ok(())
+}
+
+pub fn get_vpn_worker_config(id: &str) -> Option<VpnWorkerConfig> {
+  let storage_dir = get_storage_dir();
+  let file_path = storage_dir.join(format!("vpn_worker_{}.json", id));
+
+  if !file_path.exists() {
+    return None;
+  }
+
+  match fs::read_to_string(&file_path) {
+    Ok(content) => serde_json::from_str(&content).ok(),
+    Err(_) => None,
+  }
+}
+
+pub fn delete_vpn_worker_config(id: &str) -> bool {
+  let storage_dir = get_storage_dir();
+  let file_path = storage_dir.join(format!("vpn_worker_{}.json", id));
+
+  if !file_path.exists() {
+    return false;
+  }
+
+  fs::remove_file(&file_path).is_ok()
+}
+
+pub fn list_vpn_worker_configs() -> Vec<VpnWorkerConfig> {
+  let storage_dir = get_storage_dir();
+
+  if !storage_dir.exists() {
+    return Vec::new();
+  }
+
+  let mut configs = Vec::new();
+  if let Ok(entries) = fs::read_dir(&storage_dir) {
+    for entry in entries.flatten() {
+      let path = entry.path();
+      if let Some(name) = path.file_name().and_then(|n| n.to_str()) {
+        if name.starts_with("vpn_worker_") && name.ends_with(".json") {
+          if let Ok(content) = fs::read_to_string(&path) {
+            if let Ok(config) = serde_json::from_str::<VpnWorkerConfig>(&content) {
+              configs.push(config);
+            }
+          }
+        }
+      }
+    }
+  }
+
+  configs
+}
+
+pub fn find_vpn_worker_by_vpn_id(vpn_id: &str) -> Option<VpnWorkerConfig> {
+  list_vpn_worker_configs()
+    .into_iter()
+    .find(|c| c.vpn_id == vpn_id)
+}
+
+pub fn generate_vpn_worker_id() -> String {
+  format!(
+    "vpnw_{}_{}",
+    std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs(),
+    rand::random::<u32>()
+  )
+}
@@ -1,6 +1,5 @@
 use crate::browser_runner::BrowserRunner;
 use crate::profile::BrowserProfile;
-use directories::BaseDirs;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -72,8 +71,6 @@ struct WayfernManagerInner {

 pub struct WayfernManager {
  inner: Arc<AsyncMutex<WayfernManagerInner>>,
-  #[allow(dead_code)]
-  base_dirs: BaseDirs,
  http_client: Client,
 }

@@ -91,7 +88,6 @@ impl WayfernManager {
      inner: Arc::new(AsyncMutex::new(WayfernManagerInner {
        instances: HashMap::new(),
      })),
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      http_client: Client::new(),
    }
  }
@@ -102,26 +98,12 @@ impl WayfernManager {

  #[allow(dead_code)]
  pub fn get_profiles_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("profiles");
-    path
+    crate::app_dirs::profiles_dir()
  }

  #[allow(dead_code)]
  fn get_binaries_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("binaries");
-    path
+    crate::app_dirs::binaries_dir()
  }

  async fn find_free_port() -> Result<u16, Box<dyn std::error::Error + Send + Sync>> {
@@ -231,7 +213,15 @@ impl WayfernManager {
    config: &WayfernConfig,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Wayfern executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -255,6 +245,9 @@ impl WayfernManager {
      .arg("--no-first-run")
      .arg("--no-default-browser-check")
      .arg("--disable-background-mode")
+      .arg("--use-mock-keychain")
+      .arg("--password-store=basic")
+      .arg("--disable-features=DialMediaRouteProvider")
      .stdout(Stdio::null())
      .stderr(Stdio::null());

@@ -271,8 +264,11 @@ impl WayfernManager {
        }
        #[cfg(windows)]
        {
+          use std::os::windows::process::CommandExt;
+          const CREATE_NO_WINDOW: u32 = 0x08000000;
          let _ = std::process::Command::new("taskkill")
            .args(["/PID", &id.to_string(), "/F"])
+            .creation_flags(CREATE_NO_WINDOW)
            .output();
        }
      }
@@ -390,6 +386,7 @@ impl WayfernManager {
    Ok(fingerprint_json)
  }

+  #[allow(clippy::too_many_arguments)]
  pub async fn launch_wayfern(
    &self,
    _app_handle: &AppHandle,
@@ -398,9 +395,19 @@ impl WayfernManager {
    config: &WayfernConfig,
    url: Option<&str>,
    proxy_url: Option<&str>,
+    ephemeral: bool,
+    extension_paths: &[String],
  ) -> Result<WayfernLaunchResult, Box<dyn std::error::Error + Send + Sync>> {
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Wayfern executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -434,6 +441,18 @@ impl WayfernManager {
      args.push(format!("--proxy-server={proxy}"));
    }

+    if ephemeral {
+      args.push("--disk-cache-size=1".to_string());
+      args.push("--disable-breakpad".to_string());
+      args.push("--disable-crash-reporter".to_string());
+      args.push("--no-service-autorun".to_string());
+      args.push("--disable-sync".to_string());
+    }
+
+    if !extension_paths.is_empty() {
+      args.push(format!("--load-extension={}", extension_paths.join(",")));
+    }
+
    // Don't add URL to args - we'll navigate via CDP after setting fingerprint
    // This ensures fingerprint is applied at navigation commit time

@@ -586,8 +605,11 @@ impl WayfernManager {
        }
        #[cfg(windows)]
        {
+          use std::os::windows::process::CommandExt;
+          const CREATE_NO_WINDOW: u32 = 0x08000000;
          let _ = std::process::Command::new("taskkill")
            .args(["/PID", &pid.to_string(), "/F"])
+            .creation_flags(CREATE_NO_WINDOW)
            .output();
        }
        log::info!("Stopped Wayfern instance {id} (PID: {pid})");
@@ -641,11 +663,19 @@ impl WayfernManager {

    let mut inner = self.inner.lock().await;

+    // Canonicalize the target path for comparison
+    let target_path = std::path::Path::new(profile_path)
+      .canonicalize()
+      .unwrap_or_else(|_| std::path::Path::new(profile_path).to_path_buf());
+
    // Find the instance with the matching profile path
    let mut found_id: Option<String> = None;
    for (id, instance) in &inner.instances {
      if let Some(path) = &instance.profile_path {
-        if path == profile_path {
+        let instance_path = std::path::Path::new(path)
+          .canonicalize()
+          .unwrap_or_else(|_| std::path::Path::new(path).to_path_buf());
+        if instance_path == target_path {
          found_id = Some(id.clone());
          break;
        }
@@ -662,7 +692,6 @@ impl WayfernManager {
          let sysinfo_pid = sysinfo::Pid::from_u32(pid);

          if system.process(sysinfo_pid).is_some() {
-            // Process is still running
            return Some(WayfernLaunchResult {
              id: id.clone(),
              processId: instance.process_id,
@@ -671,7 +700,6 @@ impl WayfernManager {
              cdp_port: instance.cdp_port,
            });
          } else {
-            // Process has died (e.g., Cmd+Q), remove from instances
            log::info!(
              "Wayfern process {} for profile {} is no longer running, cleaning up",
              pid,
@@ -684,6 +712,101 @@ impl WayfernManager {
      }
    }

+    // If not found in in-memory instances, scan system processes.
+    // This handles the case where the GUI was restarted but Wayfern is still running.
+    if let Some((pid, found_profile_path, cdp_port)) =
+      Self::find_wayfern_process_by_profile(&target_path)
+    {
+      log::info!(
+        "Found running Wayfern process (PID: {}) for profile path via system scan",
+        pid
+      );
+
+      let instance_id = format!("recovered_{}", pid);
+      inner.instances.insert(
+        instance_id.clone(),
+        WayfernInstance {
+          id: instance_id.clone(),
+          process_id: Some(pid),
+          profile_path: Some(found_profile_path.clone()),
+          url: None,
+          cdp_port,
+        },
+      );
+
+      return Some(WayfernLaunchResult {
+        id: instance_id,
+        processId: Some(pid),
+        profilePath: Some(found_profile_path),
+        url: None,
+        cdp_port,
+      });
+    }
+
+    None
+  }
+
+  /// Scan system processes to find a Wayfern/Chromium process using a specific profile path
+  fn find_wayfern_process_by_profile(
+    target_path: &std::path::Path,
+  ) -> Option<(u32, String, Option<u16>)> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+
+    let target_path_str = target_path.to_string_lossy();
+
+    for (pid, process) in system.processes() {
+      let cmd = process.cmd();
+      if cmd.is_empty() {
+        continue;
+      }
+
+      let exe_name = process.name().to_string_lossy().to_lowercase();
+      let is_chromium_like = exe_name.contains("wayfern")
+        || exe_name.contains("chromium")
+        || exe_name.contains("chrome");
+
+      if !is_chromium_like {
+        continue;
+      }
+
+      // Skip child processes (renderer, GPU, utility, zygote, etc.)
+      // Only the main browser process lacks a --type= argument
+      let is_child = cmd
+        .iter()
+        .any(|a| a.to_str().is_some_and(|s| s.starts_with("--type=")));
+      if is_child {
+        continue;
+      }
+
+      let mut matched = false;
+      let mut cdp_port: Option<u16> = None;
+
+      for arg in cmd.iter() {
+        if let Some(arg_str) = arg.to_str() {
+          if let Some(dir_val) = arg_str.strip_prefix("--user-data-dir=") {
+            let cmd_path = std::path::Path::new(dir_val)
+              .canonicalize()
+              .unwrap_or_else(|_| std::path::Path::new(dir_val).to_path_buf());
+            if cmd_path == target_path {
+              matched = true;
+            }
+          }
+
+          if let Some(port_val) = arg_str.strip_prefix("--remote-debugging-port=") {
+            cdp_port = port_val.parse().ok();
+          }
+        }
+      }
+
+      if matched {
+        return Some((pid.as_u32(), target_path_str.to_string(), cdp_port));
+      }
+    }
+
    None
  }

@@ -715,6 +838,8 @@ impl WayfernManager {
        config,
        url,
        proxy_url,
+        profile.ephemeral,
+        &[],
      )
      .await
  }
@@ -1,7 +1,7 @@
 {
  "$schema": "https://schema.tauri.app/config/2",
  "productName": "Donut",
-  "version": "0.14.2",
+  "version": "0.15.0",
  "identifier": "com.donutbrowser",
  "build": {
    "beforeDevCommand": "pnpm copy-proxy-binary && pnpm dev",
@@ -32,7 +32,7 @@
      "frameworks": [],
      "minimumSystemVersion": "10.13",
      "exceptionDomain": "",
-      "signingIdentity": "-",
+      "signingIdentity": null,
      "providerShortName": null,
      "entitlements": "entitlements.plist",
      "files": {
@@ -7,6 +7,45 @@ use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::time::sleep;

+/// Start a simple HTTP server that returns a specific body for any request.
+/// Returns the (port, JoinHandle).
+async fn start_mock_http_server(response_body: &'static str) -> (u16, tokio::task::JoinHandle<()>) {
+  let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+  let port = listener.local_addr().unwrap().port();
+
+  let handle = tokio::spawn(async move {
+    use http_body_util::Full;
+    use hyper::body::Bytes;
+    use hyper::server::conn::http1;
+    use hyper::service::service_fn;
+    use hyper::{Response, StatusCode};
+    use hyper_util::rt::TokioIo;
+
+    while let Ok((stream, _)) = listener.accept().await {
+      let io = TokioIo::new(stream);
+      tokio::task::spawn(async move {
+        let service = service_fn(move |_req| {
+          let body = response_body;
+          async move {
+            Ok::<_, hyper::Error>(
+              Response::builder()
+                .status(StatusCode::OK)
+                .body(Full::new(Bytes::from(body)))
+                .unwrap(),
+            )
+          }
+        });
+        let _ = http1::Builder::new().serve_connection(io, service).await;
+      });
+    }
+  });
+
+  // Wait for listener to be ready
+  sleep(Duration::from_millis(100)).await;
+
+  (port, handle)
+}
+
 /// Setup function to ensure donut-proxy binary exists and cleanup stale proxies
 async fn setup_test() -> Result<std::path::PathBuf, Box<dyn std::error::Error + Send + Sync>> {
  let cargo_manifest_dir = std::env::var("CARGO_MANIFEST_DIR")?;
@@ -516,13 +555,7 @@ async fn test_traffic_tracking() -> Result<(), Box<dyn std::error::Error + Send
  // Wait for traffic stats to be flushed (happens every second)
  sleep(Duration::from_secs(2)).await;

-  // Verify traffic was tracked by checking traffic stats file exists
-  // Note: Traffic stats are stored in the cache directory
-  let cache_dir = directories::BaseDirs::new()
-    .expect("Failed to get base directories")
-    .cache_dir()
-    .to_path_buf();
-  let traffic_stats_dir = cache_dir.join("DonutBrowserDev").join("traffic_stats");
+  let traffic_stats_dir = donutbrowser_lib::app_dirs::cache_dir().join("traffic_stats");
  let stats_file = traffic_stats_dir.join(format!("{}.json", proxy_id));

  if stats_file.exists() {
@@ -643,3 +676,448 @@ async fn test_proxy_stop() -> Result<(), Box<dyn std::error::Error + Send + Sync

  Ok(())
 }
+
+/// Test that bypass rules cause requests to bypass the upstream proxy.
+/// Requests to bypassed hosts go directly to the target, while
+/// requests to non-bypassed hosts are routed through the upstream.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_http_direct() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  // Start a target HTTP server (this is where bypassed requests should arrive)
+  let (target_port, target_handle) = start_mock_http_server("DIRECT-TARGET-RESPONSE").await;
+  println!("Target server listening on port {target_port}");
+
+  // Start a mock upstream proxy (non-bypassed requests go here)
+  let (upstream_port, upstream_handle) = start_mock_http_server("UPSTREAM-PROXY-RESPONSE").await;
+  println!("Mock upstream proxy listening on port {upstream_port}");
+
+  // Start donut-proxy with upstream + bypass rules for "127.0.0.1"
+  let bypass_rules = serde_json::json!(["127.0.0.1"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  println!("Donut-proxy started on port {local_port} with bypass rules for 127.0.0.1");
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Test 1: Request to 127.0.0.1 should be BYPASSED (direct connection to target)
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    println!(
+      "Bypass response: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+
+    assert!(
+      response_str.contains("DIRECT-TARGET-RESPONSE"),
+      "Bypassed request should reach target directly, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    assert!(
+      !response_str.contains("UPSTREAM-PROXY-RESPONSE"),
+      "Bypassed request should NOT go through upstream"
+    );
+    println!("Bypass test passed: request to 127.0.0.1 went directly to target");
+  }
+
+  // Test 2: Request to non-bypassed host should go through upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://non-bypass-host.test/ HTTP/1.1\r\nHost: non-bypass-host.test\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    println!(
+      "Non-bypass response: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+
+    assert!(
+      response_str.contains("UPSTREAM-PROXY-RESPONSE"),
+      "Non-bypassed request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    assert!(
+      !response_str.contains("DIRECT-TARGET-RESPONSE"),
+      "Non-bypassed request should NOT reach target directly"
+    );
+    println!("Non-bypass test passed: request to non-bypass-host.test went through upstream");
+  }
+
+  // Cleanup
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test bypass rules with regex patterns.
+/// Verifies that regex-based rules match hosts correctly.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_regex_pattern() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (target_port, target_handle) = start_mock_http_server("REGEX-DIRECT-RESPONSE").await;
+  let (upstream_port, upstream_handle) = start_mock_http_server("REGEX-UPSTREAM-RESPONSE").await;
+
+  // Use regex bypass rule: ^127\.0\.0\.\d+ (matches any 127.0.0.x address)
+  let bypass_rules = serde_json::json!([r"^127\.0\.0\.\d+"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Request to 127.0.0.1 should match regex and be bypassed
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("REGEX-DIRECT-RESPONSE"),
+      "Regex-bypassed request should reach target directly, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Regex bypass test passed: 127.0.0.1 matched regex rule");
+  }
+
+  // Request to non-matching host should go through upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("REGEX-UPSTREAM-RESPONSE"),
+      "Non-matching request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Regex non-bypass test passed: example.com did not match regex rule");
+  }
+
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test that bypass rules are persisted in the proxy config on disk.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_in_config() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let bypass_rules =
+    serde_json::json!(["example.com", "192.168.0.0/16", r".*\.internal\.net"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &["proxy", "start", "--bypass-rules", &bypass_rules],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Read the proxy config file from disk to verify bypass rules are persisted
+  let proxies_dir = donutbrowser_lib::app_dirs::proxies_dir();
+  let config_file = proxies_dir.join(format!("{proxy_id}.json"));
+
+  assert!(
+    config_file.exists(),
+    "Proxy config file should exist at {:?}",
+    config_file
+  );
+
+  let config_content = std::fs::read_to_string(&config_file)?;
+  let disk_config: Value = serde_json::from_str(&config_content)?;
+
+  let rules = disk_config["bypass_rules"]
+    .as_array()
+    .expect("bypass_rules should be an array in the config");
+
+  assert_eq!(rules.len(), 3, "Should have 3 bypass rules");
+  assert_eq!(rules[0], "example.com");
+  assert_eq!(rules[1], "192.168.0.0/16");
+  assert_eq!(rules[2], r".*\.internal\.net");
+
+  println!(
+    "Config persistence test passed: {} bypass rules found in config",
+    rules.len()
+  );
+
+  tracker.cleanup_all().await;
+
+  Ok(())
+}
+
+/// Test bypass rules with multiple rule types combined (exact + regex).
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_multiple_rules() -> Result<(), Box<dyn std::error::Error + Send + Sync>>
+{
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (target_port, target_handle) = start_mock_http_server("MULTI-DIRECT-RESPONSE").await;
+  let (upstream_port, upstream_handle) = start_mock_http_server("MULTI-UPSTREAM-RESPONSE").await;
+
+  // Multiple bypass rules: exact match + regex
+  let bypass_rules = serde_json::json!(["127.0.0.1", r"^localhost$"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Request via 127.0.0.1 (exact match rule) → bypass
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-DIRECT-RESPONSE"),
+      "Exact-match bypassed request should reach target, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: exact match bypass works");
+  }
+
+  // Request via localhost (regex match rule) → bypass
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://localhost:{target_port}/ HTTP/1.1\r\nHost: localhost:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-DIRECT-RESPONSE"),
+      "Regex-match bypassed request should reach target, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: regex match bypass works");
+  }
+
+  // Request to non-matching host → upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://other-host.test/ HTTP/1.1\r\nHost: other-host.test\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-UPSTREAM-RESPONSE"),
+      "Non-matching request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: non-matching host goes through upstream");
+  }
+
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test that an empty bypass rules list means everything goes through upstream.
+#[tokio::test]
+#[serial]
+async fn test_no_bypass_rules_all_through_upstream(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (upstream_port, upstream_handle) = start_mock_http_server("ALL-UPSTREAM-RESPONSE").await;
+
+  // Start proxy with empty bypass rules
+  let bypass_rules = serde_json::json!([]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // All requests should go through upstream when bypass rules are empty
+  let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+  let request =
+    b"GET http://any-host.test/ HTTP/1.1\r\nHost: any-host.test\r\nConnection: close\r\n\r\n";
+  stream.write_all(request).await?;
+
+  let mut response = Vec::new();
+  stream.read_to_end(&mut response).await?;
+  let response_str = String::from_utf8_lossy(&response);
+
+  assert!(
+    response_str.contains("ALL-UPSTREAM-RESPONSE"),
+    "With no bypass rules, all requests should go through upstream, got: {}",
+    &response_str[..response_str.len().min(300)]
+  );
+  println!("Empty bypass rules test passed: all traffic goes through upstream");
+
+  tracker.cleanup_all().await;
+  upstream_handle.abort();
+
+  Ok(())
+}
@@ -238,6 +238,46 @@ fn create_test_profile_bundle(temp_dir: &Path) -> Vec<u8> {
  encoder.finish().unwrap()
 }

+fn create_test_profile_bundle_with_bypass_rules(temp_dir: &Path, bypass_rules: &[&str]) -> Vec<u8> {
+  use flate2::write::GzEncoder;
+  use flate2::Compression;
+  use tar::Builder;
+
+  let metadata = json!({
+    "id": "test-bypass-profile-id",
+    "name": "Bypass Rules Profile",
+    "browser": "camoufox",
+    "version": "120.0.0",
+    "release_type": "stable",
+    "sync_enabled": true,
+    "tags": [],
+    "proxy_bypass_rules": bypass_rules
+  });
+
+  let profile_dir = temp_dir.join("bypass_profile");
+  fs::create_dir_all(&profile_dir).unwrap();
+  fs::write(profile_dir.join("test_file.txt"), "bypass test content").unwrap();
+
+  let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
+  {
+    let mut tar = Builder::new(&mut encoder);
+
+    let metadata_json = serde_json::to_string_pretty(&metadata).unwrap();
+    let mut header = tar::Header::new_gnu();
+    header.set_size(metadata_json.len() as u64);
+    header.set_mode(0o644);
+    header.set_cksum();
+    tar
+      .append_data(&mut header, "metadata.json", metadata_json.as_bytes())
+      .unwrap();
+
+    tar.append_dir_all("profile", &profile_dir).unwrap();
+    tar.finish().unwrap();
+  }
+
+  encoder.finish().unwrap()
+}
+
 fn extract_bundle(data: &[u8], target_dir: &Path) -> serde_json::Value {
  use flate2::read::GzDecoder;
  use tar::Archive;
@@ -727,3 +767,77 @@ async fn test_delta_sync_only_changed_files() {
  client.delete(&file2_key, None).await.unwrap();
  client.delete(&file3_key, None).await.unwrap();
 }
+
+#[tokio::test]
+async fn test_profile_bypass_rules_sync() {
+  ensure_sync_server_available().await;
+  let client = TestClient::new();
+  let temp_dir = TempDir::new().unwrap();
+  let profile_id = uuid::Uuid::new_v4().to_string();
+  let test_key = format!("profiles/{}.tar.gz", profile_id);
+
+  let bypass_rules = vec!["example.com", "192.168.1.0/24", ".*\\.internal\\.net"];
+
+  let bundle = create_test_profile_bundle_with_bypass_rules(temp_dir.path(), &bypass_rules);
+
+  let presign = client
+    .presign_upload(&test_key, "application/gzip")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign.url, &bundle, "application/gzip")
+    .await
+    .unwrap();
+
+  let stat = client.stat(&test_key).await.unwrap();
+  assert!(stat.exists);
+
+  // Download and verify bypass rules survive the round-trip
+  let download_presign = client.presign_download(&test_key).await.unwrap();
+  let downloaded = client.download_bytes(&download_presign.url).await.unwrap();
+  assert_eq!(downloaded.len(), bundle.len());
+
+  let extract_dir = temp_dir.path().join("extracted");
+  fs::create_dir_all(&extract_dir).unwrap();
+  let metadata = extract_bundle(&downloaded, &extract_dir);
+
+  assert_eq!(metadata["name"], "Bypass Rules Profile");
+  assert_eq!(metadata["browser"], "camoufox");
+
+  let synced_rules = metadata["proxy_bypass_rules"]
+    .as_array()
+    .expect("proxy_bypass_rules should be an array");
+  assert_eq!(synced_rules.len(), 3);
+  assert_eq!(synced_rules[0], "example.com");
+  assert_eq!(synced_rules[1], "192.168.1.0/24");
+  assert_eq!(synced_rules[2], ".*\\.internal\\.net");
+
+  // Also verify empty bypass rules are handled correctly
+  let empty_bundle = create_test_profile_bundle_with_bypass_rules(temp_dir.path(), &[]);
+  let empty_key = format!("profiles/{}.tar.gz", uuid::Uuid::new_v4());
+
+  let presign2 = client
+    .presign_upload(&empty_key, "application/gzip")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign2.url, &empty_bundle, "application/gzip")
+    .await
+    .unwrap();
+
+  let download_presign2 = client.presign_download(&empty_key).await.unwrap();
+  let downloaded2 = client.download_bytes(&download_presign2.url).await.unwrap();
+
+  let extract_dir2 = temp_dir.path().join("extracted2");
+  fs::create_dir_all(&extract_dir2).unwrap();
+  let metadata2 = extract_bundle(&downloaded2, &extract_dir2);
+
+  let empty_rules = metadata2["proxy_bypass_rules"]
+    .as_array()
+    .expect("proxy_bypass_rules should be an array");
+  assert!(empty_rules.is_empty());
+
+  // Cleanup
+  client.delete(&test_key, None).await.unwrap();
+  client.delete(&empty_key, None).await.unwrap();
+}
@@ -188,6 +188,8 @@ fn test_vpn_storage_save_and_load() {
    config_data: "[Interface]\nPrivateKey=key\n[Peer]\nPublicKey=peer".to_string(),
    created_at: 1234567890,
    last_used: None,
+    sync_enabled: false,
+    last_sync: None,
  };

  let save_result = storage.save_config(&config);
@@ -230,6 +232,8 @@ fn test_vpn_storage_list() {
      config_data: "secret data".to_string(),
      created_at: 1000 * i as i64,
      last_used: None,
+      sync_enabled: false,
+      last_sync: None,
    };
    storage.save_config(&config).unwrap();
  }
@@ -256,6 +260,8 @@ fn test_vpn_storage_delete() {
    config_data: "data".to_string(),
    created_at: 1000,
    last_used: None,
+    sync_enabled: false,
+    last_sync: None,
  };

  storage.save_config(&config).unwrap();
@@ -3,12 +3,15 @@
 import { invoke } from "@tauri-apps/api/core";
 import { listen } from "@tauri-apps/api/event";
 import { getCurrent } from "@tauri-apps/plugin-deep-link";
-import { useCallback, useEffect, useMemo, useState } from "react";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { CamoufoxConfigDialog } from "@/components/camoufox-config-dialog";
+import { CloneProfileDialog } from "@/components/clone-profile-dialog";
 import { CommercialTrialModal } from "@/components/commercial-trial-modal";
 import { CookieCopyDialog } from "@/components/cookie-copy-dialog";
+import { CookieManagementDialog } from "@/components/cookie-management-dialog";
 import { CreateProfileDialog } from "@/components/create-profile-dialog";
 import { DeleteConfirmationDialog } from "@/components/delete-confirmation-dialog";
+import { ExtensionManagementDialog } from "@/components/extension-management-dialog";
 import { GroupAssignmentDialog } from "@/components/group-assignment-dialog";
 import { GroupBadges } from "@/components/group-badges";
 import { GroupManagementDialog } from "@/components/group-management-dialog";
@@ -23,8 +26,10 @@ import { ProfileSyncDialog } from "@/components/profile-sync-dialog";
 import { ProxyAssignmentDialog } from "@/components/proxy-assignment-dialog";
 import { ProxyManagementDialog } from "@/components/proxy-management-dialog";
 import { SettingsDialog } from "@/components/settings-dialog";
+import { SyncAllDialog } from "@/components/sync-all-dialog";
 import { SyncConfigDialog } from "@/components/sync-config-dialog";
 import { WayfernTermsDialog } from "@/components/wayfern-terms-dialog";
+import { WindowResizeWarningDialog } from "@/components/window-resize-warning-dialog";
 import { useAppUpdateNotifications } from "@/hooks/use-app-update-notifications";
 import { useCloudAuth } from "@/hooks/use-cloud-auth";
 import { useCommercialTrial } from "@/hooks/use-commercial-trial";
@@ -35,9 +40,21 @@ import { useProfileEvents } from "@/hooks/use-profile-events";
 import { useProxyEvents } from "@/hooks/use-proxy-events";
 import { useUpdateNotifications } from "@/hooks/use-update-notifications";
 import { useVersionUpdater } from "@/hooks/use-version-updater";
+import { useVpnEvents } from "@/hooks/use-vpn-events";
 import { useWayfernTerms } from "@/hooks/use-wayfern-terms";
-import { showErrorToast, showSuccessToast, showToast } from "@/lib/toast-utils";
-import type { BrowserProfile, CamoufoxConfig, WayfernConfig } from "@/types";
+import {
+  dismissToast,
+  showErrorToast,
+  showSuccessToast,
+  showSyncProgressToast,
+  showToast,
+} from "@/lib/toast-utils";
+import type {
+  BrowserProfile,
+  CamoufoxConfig,
+  SyncSettings,
+  WayfernConfig,
+} from "@/types";

 type BrowserTypeString =
  | "firefox"
@@ -77,6 +94,8 @@ export default function Home() {
    error: proxiesError,
  } = useProxyEvents();

+  const { vpnConfigs } = useVpnEvents();
+
  // Wayfern terms and commercial trial hooks
  const {
    termsAccepted,
@@ -92,7 +111,26 @@ export default function Home() {
  // Cloud auth for cross-OS unlock
  const { user: cloudUser } = useCloudAuth();
  const crossOsUnlocked =
-    cloudUser?.plan !== "free" && cloudUser?.subscriptionStatus === "active";
+    cloudUser?.plan !== "free" &&
+    (cloudUser?.subscriptionStatus === "active" ||
+      cloudUser?.planPeriod === "lifetime");
+
+  const [selfHostedSyncConfigured, setSelfHostedSyncConfigured] =
+    useState(false);
+
+  const checkSelfHostedSync = useCallback(async () => {
+    try {
+      const settings = await invoke<SyncSettings>("get_sync_settings");
+      const hasConfig = Boolean(
+        settings.sync_server_url && settings.sync_token,
+      );
+      setSelfHostedSyncConfigured(hasConfig && !cloudUser);
+    } catch {
+      setSelfHostedSyncConfigured(false);
+    }
+  }, [cloudUser]);
+
+  const syncUnlocked = crossOsUnlocked || selfHostedSyncConfigured;

  const [createProfileDialogOpen, setCreateProfileDialogOpen] = useState(false);
  const [settingsDialogOpen, setSettingsDialogOpen] = useState(false);
@@ -104,11 +142,19 @@ export default function Home() {
    useState(false);
  const [groupManagementDialogOpen, setGroupManagementDialogOpen] =
    useState(false);
+  const [extensionManagementDialogOpen, setExtensionManagementDialogOpen] =
+    useState(false);
  const [groupAssignmentDialogOpen, setGroupAssignmentDialogOpen] =
    useState(false);
  const [proxyAssignmentDialogOpen, setProxyAssignmentDialogOpen] =
    useState(false);
  const [cookieCopyDialogOpen, setCookieCopyDialogOpen] = useState(false);
+  const [cookieManagementDialogOpen, setCookieManagementDialogOpen] =
+    useState(false);
+  const [
+    currentProfileForCookieManagement,
+    setCurrentProfileForCookieManagement,
+  ] = useState<BrowserProfile | null>(null);
  const [selectedProfilesForCookies, setSelectedProfilesForCookies] = useState<
    string[]
  >([]);
@@ -124,8 +170,15 @@ export default function Home() {
  const [pendingUrls, setPendingUrls] = useState<PendingUrl[]>([]);
  const [currentProfileForCamoufoxConfig, setCurrentProfileForCamoufoxConfig] =
    useState<BrowserProfile | null>(null);
+  const [cloneProfile, setCloneProfile] = useState<BrowserProfile | null>(null);
  const [hasCheckedStartupPrompt, setHasCheckedStartupPrompt] = useState(false);
  const [launchOnLoginDialogOpen, setLaunchOnLoginDialogOpen] = useState(false);
+  const [windowResizeWarningOpen, setWindowResizeWarningOpen] = useState(false);
+  const [windowResizeWarningBrowserType, setWindowResizeWarningBrowserType] =
+    useState<string | undefined>(undefined);
+  const windowResizeWarningResolver = useRef<
+    ((proceed: boolean) => void) | null
+  >(null);
  const [permissionDialogOpen, setPermissionDialogOpen] = useState(false);
  const [currentPermissionType, setCurrentPermissionType] =
    useState<PermissionType>("microphone");
@@ -133,6 +186,7 @@ export default function Home() {
    useState(false);
  const [isBulkDeleting, setIsBulkDeleting] = useState(false);
  const [syncConfigDialogOpen, setSyncConfigDialogOpen] = useState(false);
+  const [syncAllDialogOpen, setSyncAllDialogOpen] = useState(false);
  const [profileSyncDialogOpen, setProfileSyncDialogOpen] = useState(false);
  const [currentProfileForSync, setCurrentProfileForSync] =
    useState<BrowserProfile | null>(null);
@@ -446,23 +500,42 @@ export default function Home() {
      version: string;
      releaseType: string;
      proxyId?: string;
+      vpnId?: string;
      camoufoxConfig?: CamoufoxConfig;
      wayfernConfig?: WayfernConfig;
      groupId?: string;
+      extensionGroupId?: string;
+      ephemeral?: boolean;
    }) => {
      try {
-        await invoke<BrowserProfile>("create_browser_profile_new", {
-          name: profileData.name,
-          browserStr: profileData.browserStr,
-          version: profileData.version,
-          releaseType: profileData.releaseType,
-          proxyId: profileData.proxyId,
-          camoufoxConfig: profileData.camoufoxConfig,
-          wayfernConfig: profileData.wayfernConfig,
-          groupId:
-            profileData.groupId ||
-            (selectedGroupId !== "default" ? selectedGroupId : undefined),
-        });
+        const profile = await invoke<BrowserProfile>(
+          "create_browser_profile_new",
+          {
+            name: profileData.name,
+            browserStr: profileData.browserStr,
+            version: profileData.version,
+            releaseType: profileData.releaseType,
+            proxyId: profileData.proxyId,
+            vpnId: profileData.vpnId,
+            camoufoxConfig: profileData.camoufoxConfig,
+            wayfernConfig: profileData.wayfernConfig,
+            groupId:
+              profileData.groupId ||
+              (selectedGroupId !== "default" ? selectedGroupId : undefined),
+            ephemeral: profileData.ephemeral,
+          },
+        );
+
+        if (profileData.extensionGroupId) {
+          try {
+            await invoke("assign_extension_group_to_profile", {
+              profileId: profile.id,
+              extensionGroupId: profileData.extensionGroupId,
+            });
+          } catch (err) {
+            console.error("Failed to assign extension group:", err);
+          }
+        }

        // No need to manually reload - useProfileEvents will handle the update
      } catch (error) {
@@ -471,7 +544,6 @@ export default function Home() {
            error instanceof Error ? error.message : String(error)
          }`,
        );
-        throw error;
      }
    },
    [selectedGroupId],
@@ -480,6 +552,27 @@ export default function Home() {
  const launchProfile = useCallback(async (profile: BrowserProfile) => {
    console.log("Starting launch for profile:", profile.name);

+    // Show one-time warning about window resizing for fingerprinted browsers
+    if (profile.browser === "camoufox" || profile.browser === "wayfern") {
+      try {
+        const dismissed = await invoke<boolean>(
+          "get_window_resize_warning_dismissed",
+        );
+        if (!dismissed) {
+          const proceed = await new Promise<boolean>((resolve) => {
+            windowResizeWarningResolver.current = resolve;
+            setWindowResizeWarningBrowserType(profile.browser);
+            setWindowResizeWarningOpen(true);
+          });
+          if (!proceed) {
+            return;
+          }
+        }
+      } catch (error) {
+        console.error("Failed to check window resize warning:", error);
+      }
+    }
+
    try {
      const result = await invoke<BrowserProfile>("launch_browser_profile", {
        profile,
@@ -489,21 +582,12 @@ export default function Home() {
      console.error("Failed to launch browser:", err);
      const errorMessage = err instanceof Error ? err.message : String(err);
      showErrorToast(`Failed to launch browser: ${errorMessage}`);
-      // Re-throw the error so the table component can handle loading state cleanup
      throw err;
    }
  }, []);

-  const handleCloneProfile = useCallback(async (profile: BrowserProfile) => {
-    try {
-      await invoke<BrowserProfile>("clone_profile", {
-        profileId: profile.id,
-      });
-    } catch (err: unknown) {
-      console.error("Failed to clone profile:", err);
-      const errorMessage = err instanceof Error ? err.message : String(err);
-      showErrorToast(`Failed to clone profile: ${errorMessage}`);
-    }
+  const handleCloneProfile = useCallback((profile: BrowserProfile) => {
+    setCloneProfile(profile);
  }, []);

  const handleDeleteProfile = useCallback(async (profile: BrowserProfile) => {
@@ -650,6 +734,11 @@ export default function Home() {
    setCookieCopyDialogOpen(true);
  }, []);

+  const handleOpenCookieManagement = useCallback((profile: BrowserProfile) => {
+    setCurrentProfileForCookieManagement(profile);
+    setCookieManagementDialogOpen(true);
+  }, []);
+
  const handleGroupAssignmentComplete = useCallback(async () => {
    // No need to manually reload - useProfileEvents will handle the update
    setGroupAssignmentDialogOpen(false);
@@ -674,18 +763,16 @@ export default function Home() {
  const handleToggleProfileSync = useCallback(
    async (profile: BrowserProfile) => {
      try {
-        await invoke("set_profile_sync_enabled", {
+        const enabling = !profile.sync_mode || profile.sync_mode === "Disabled";
+        await invoke("set_profile_sync_mode", {
          profileId: profile.id,
-          enabled: !profile.sync_enabled,
+          syncMode: enabling ? "Regular" : "Disabled",
+        });
+        showSuccessToast(enabling ? "Sync enabled" : "Sync disabled", {
+          description: enabling
+            ? "Profile sync has been enabled"
+            : "Profile sync has been disabled",
        });
-        showSuccessToast(
-          profile.sync_enabled ? "Sync disabled" : "Sync enabled",
-          {
-            description: profile.sync_enabled
-              ? "Profile sync has been disabled"
-              : "Profile sync has been enabled",
-          },
-        );
      } catch (error) {
        console.error("Failed to toggle sync:", error);
        showErrorToast("Failed to update sync settings");
@@ -694,6 +781,67 @@ export default function Home() {
    [],
  );

+  useEffect(() => {
+    let unlistenStatus: (() => void) | undefined;
+    let unlistenProgress: (() => void) | undefined;
+    (async () => {
+      try {
+        unlistenStatus = await listen<{
+          profile_id: string;
+          status: string;
+          error?: string;
+        }>("profile-sync-status", (event) => {
+          const { profile_id, status, error } = event.payload;
+          const toastId = `sync-${profile_id}`;
+          const profile = profiles.find((p) => p.id === profile_id);
+          const name = profile?.name ?? "Unknown";
+
+          if (status === "syncing") {
+            showToast({
+              type: "loading",
+              title: `Syncing profile '${name}'...`,
+              id: toastId,
+              duration: Number.POSITIVE_INFINITY,
+              onCancel: () => dismissToast(toastId),
+            });
+          } else if (status === "synced") {
+            dismissToast(toastId);
+            showSuccessToast(`Profile '${name}' synced successfully`);
+          } else if (status === "error") {
+            dismissToast(toastId);
+            showErrorToast(
+              `Failed to sync profile '${name}'${error ? `: ${error}` : ""}`,
+            );
+          }
+        });
+
+        unlistenProgress = await listen<{
+          profile_id: string;
+          phase: string;
+          total_files?: number;
+          total_bytes?: number;
+        }>("profile-sync-progress", (event) => {
+          const { profile_id, phase, total_files, total_bytes } = event.payload;
+          if (phase !== "started") return;
+
+          const toastId = `sync-${profile_id}`;
+          const profile = profiles.find((p) => p.id === profile_id);
+          const name = profile?.name ?? "Unknown";
+
+          showSyncProgressToast(name, total_files ?? 0, total_bytes ?? 0, {
+            id: toastId,
+          });
+        });
+      } catch (error) {
+        console.error("Failed to listen for sync events:", error);
+      }
+    })();
+    return () => {
+      if (unlistenStatus) unlistenStatus();
+      if (unlistenProgress) unlistenProgress();
+    };
+  }, [profiles]);
+
  useEffect(() => {
    // Check for startup default browser prompt
    void checkStartupPrompt();
@@ -837,6 +985,11 @@ export default function Home() {
    }
  }, [isInitialized, checkAllPermissions]);

+  // Check self-hosted sync config on mount and when cloud user changes
+  useEffect(() => {
+    void checkSelfHostedSync();
+  }, [checkSelfHostedSync]);
+
  // Filter data by selected group and search query
  const filteredProfiles = useMemo(() => {
    let filtered = profiles;
@@ -886,6 +1039,7 @@ export default function Home() {
            onSettingsDialogOpen={setSettingsDialogOpen}
            onSyncConfigDialogOpen={setSyncConfigDialogOpen}
            onIntegrationsDialogOpen={setIntegrationsDialogOpen}
+            onExtensionManagementDialogOpen={setExtensionManagementDialogOpen}
            searchQuery={searchQuery}
            onSearchQueryChange={setSearchQuery}
          />
@@ -906,6 +1060,7 @@ export default function Home() {
            onRenameProfile={handleRenameProfile}
            onConfigureCamoufox={handleConfigureCamoufox}
            onCopyCookiesToProfile={handleCopyCookiesToProfile}
+            onOpenCookieManagement={handleOpenCookieManagement}
            runningProfiles={runningProfiles}
            isUpdating={isUpdating}
            onDeleteSelectedProfiles={handleDeleteSelectedProfiles}
@@ -920,6 +1075,7 @@ export default function Home() {
            onOpenProfileSyncDialog={handleOpenProfileSyncDialog}
            onToggleProfileSync={handleToggleProfileSync}
            crossOsUnlocked={crossOsUnlocked}
+            syncUnlocked={syncUnlocked}
          />
        </div>
      </main>
@@ -990,6 +1146,12 @@ export default function Home() {
        onPermissionGranted={checkNextPermission}
      />

+      <CloneProfileDialog
+        isOpen={!!cloneProfile}
+        onClose={() => setCloneProfile(null)}
+        profile={cloneProfile}
+      />
+
      <CamoufoxConfigDialog
        isOpen={camoufoxConfigDialogOpen}
        onClose={() => {
@@ -1014,6 +1176,12 @@ export default function Home() {
        onGroupManagementComplete={handleGroupManagementComplete}
      />

+      <ExtensionManagementDialog
+        isOpen={extensionManagementDialogOpen}
+        onClose={() => setExtensionManagementDialogOpen(false)}
+        limitedMode={!crossOsUnlocked}
+      />
+
      <GroupAssignmentDialog
        isOpen={groupAssignmentDialogOpen}
        onClose={() => {
@@ -1033,6 +1201,7 @@ export default function Home() {
        onAssignmentComplete={handleProxyAssignmentComplete}
        profiles={profiles}
        storedProxies={storedProxies}
+        vpnConfigs={vpnConfigs}
      />

      <CookieCopyDialog
@@ -1047,6 +1216,15 @@ export default function Home() {
        onCopyComplete={() => setSelectedProfilesForCookies([])}
      />

+      <CookieManagementDialog
+        isOpen={cookieManagementDialogOpen}
+        onClose={() => {
+          setCookieManagementDialogOpen(false);
+          setCurrentProfileForCookieManagement(null);
+        }}
+        profile={currentProfileForCookieManagement}
+      />
+
      <DeleteConfirmationDialog
        isOpen={showBulkDeleteConfirmation}
        onClose={() => setShowBulkDeleteConfirmation(false)}
@@ -1061,7 +1239,18 @@ export default function Home() {

      <SyncConfigDialog
        isOpen={syncConfigDialogOpen}
-        onClose={() => setSyncConfigDialogOpen(false)}
+        onClose={(loginOccurred) => {
+          setSyncConfigDialogOpen(false);
+          void checkSelfHostedSync();
+          if (loginOccurred) {
+            setSyncAllDialogOpen(true);
+          }
+        }}
+      />
+
+      <SyncAllDialog
+        isOpen={syncAllDialogOpen}
+        onClose={() => setSyncAllDialogOpen(false)}
      />

      <ProfileSyncDialog
@@ -1096,6 +1285,16 @@ export default function Home() {
        isOpen={launchOnLoginDialogOpen}
        onClose={() => setLaunchOnLoginDialogOpen(false)}
      />
+
+      <WindowResizeWarningDialog
+        isOpen={windowResizeWarningOpen}
+        browserType={windowResizeWarningBrowserType}
+        onResult={(proceed) => {
+          setWindowResizeWarningOpen(false);
+          windowResizeWarningResolver.current?.(proceed);
+          windowResizeWarningResolver.current = null;
+        }}
+      />
    </div>
  );
 }
@@ -1,69 +1,24 @@
 "use client";

-import { FaDownload, FaExternalLinkAlt, FaTimes } from "react-icons/fa";
-import { LuCheckCheck, LuCog, LuRefreshCw } from "react-icons/lu";
-import { Badge } from "@/components/ui/badge";
+import { FaExternalLinkAlt, FaTimes } from "react-icons/fa";
+import { LuCheckCheck } from "react-icons/lu";
 import { Button } from "@/components/ui/button";
-import type { AppUpdateInfo, AppUpdateProgress } from "@/types";
+import type { AppUpdateInfo } from "@/types";
 import { RippleButton } from "./ui/ripple";

 interface AppUpdateToastProps {
  updateInfo: AppUpdateInfo;
-  onUpdate: (updateInfo: AppUpdateInfo) => Promise<void>;
  onRestart: () => Promise<void>;
  onDismiss: () => void;
-  isUpdating?: boolean;
-  updateProgress?: AppUpdateProgress | null;
  updateReady?: boolean;
 }

-function getStageIcon(stage?: string, isUpdating?: boolean) {
-  if (!isUpdating) {
-    return <FaDownload className="flex-shrink-0 w-5 h-5" />;
-  }
-
-  switch (stage) {
-    case "downloading":
-      return <FaDownload className="flex-shrink-0 w-5 h-5" />;
-    case "extracting":
-      return <LuRefreshCw className="flex-shrink-0 w-5 h-5 animate-spin" />;
-    case "installing":
-      return <LuCog className="flex-shrink-0 w-5 h-5 animate-spin" />;
-    case "completed":
-      return <LuCheckCheck className="flex-shrink-0 w-5 h-5" />;
-    default:
-      return <LuRefreshCw className="flex-shrink-0 w-5 h-5 animate-spin" />;
-  }
-}
-
-function getStageDisplayName(stage?: string) {
-  switch (stage) {
-    case "downloading":
-      return "Downloading";
-    case "extracting":
-      return "Extracting";
-    case "installing":
-      return "Installing";
-    case "completed":
-      return "Completed";
-    default:
-      return "Updating";
-  }
-}
-
 export function AppUpdateToast({
  updateInfo,
-  onUpdate,
  onRestart,
  onDismiss,
-  isUpdating = false,
-  updateProgress,
  updateReady = false,
 }: AppUpdateToastProps) {
-  const handleUpdateClick = async () => {
-    await onUpdate(updateInfo);
-  };
-
  const handleRestartClick = async () => {
    await onRestart();
  };
@@ -77,115 +32,37 @@ export function AppUpdateToast({
    }
  };

-  const showDownloadProgress =
-    isUpdating &&
-    updateProgress?.stage === "downloading" &&
-    updateProgress.percentage !== undefined;
-
-  const showOtherStageProgress =
-    isUpdating &&
-    updateProgress &&
-    (updateProgress.stage === "extracting" ||
-      updateProgress.stage === "installing" ||
-      updateProgress.stage === "completed");
-
  return (
    <div className="flex items-start p-4 w-full max-w-md rounded-lg border shadow-lg bg-card border-border text-card-foreground">
      <div className="mr-3 mt-0.5">
-        {updateReady ? (
-          <LuCheckCheck className="flex-shrink-0 w-5 h-5 text-green-500" />
-        ) : (
-          getStageIcon(updateProgress?.stage, isUpdating)
-        )}
+        <LuCheckCheck className="flex-shrink-0 w-5 h-5" />
      </div>

      <div className="flex-1 min-w-0">
        <div className="flex gap-2 justify-between items-start">
          <div className="flex flex-col gap-1">
-            <div className="flex gap-2 items-center">
-              <span className="text-sm font-semibold text-foreground">
-                {updateReady
-                  ? "The update is ready, restart app"
-                  : isUpdating
-                    ? `${getStageDisplayName(updateProgress?.stage)} Donut Browser Update`
-                    : "Donut Browser Update Available"}
-              </span>
-              {!updateReady && (
-                <Badge
-                  variant={updateInfo.is_nightly ? "secondary" : "default"}
-                  className="text-xs"
-                >
-                  {updateInfo.is_nightly ? "Nightly" : "Stable"}
-                </Badge>
-              )}
+            <span className="text-sm font-semibold text-foreground">
+              {updateReady
+                ? "Update ready, restart to apply"
+                : "Manual download required"}
+            </span>
+            <div className="text-xs text-muted-foreground">
+              {updateInfo.current_version} → {updateInfo.new_version}
            </div>
-            {!updateReady && (
-              <div className="text-xs text-muted-foreground">
-                {isUpdating ? (
-                  updateProgress?.message || "Updating..."
-                ) : (
-                  <>
-                    Update from {updateInfo.current_version} to{" "}
-                    <span className="font-medium">
-                      {updateInfo.new_version}
-                    </span>
-                    {updateInfo.manual_update_required && (
-                      <span className="block mt-1 text-muted-foreground/80">
-                        Manual download required on Linux
-                      </span>
-                    )}
-                  </>
-                )}
-              </div>
-            )}
          </div>

-          {!isUpdating && !updateReady && (
-            <Button
-              variant="ghost"
-              size="sm"
-              onClick={onDismiss}
-              className="p-0 w-6 h-6 shrink-0"
-            >
-              <FaTimes className="w-3 h-3" />
-            </Button>
-          )}
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={onDismiss}
+            className="p-0 w-6 h-6 shrink-0"
+          >
+            <FaTimes className="w-3 h-3" />
+          </Button>
        </div>

-        {!updateReady && showDownloadProgress && updateProgress && (
-          <div className="mt-2 space-y-1">
-            <div className="flex justify-between items-center">
-              <p className="flex-1 min-w-0 text-xs text-muted-foreground">
-                {updateProgress.percentage?.toFixed(1)}%
-                {updateProgress.speed && ` • ${updateProgress.speed} MB/s`}
-                {updateProgress.eta && ` • ${updateProgress.eta} remaining`}
-              </p>
-            </div>
-            <div className="w-full bg-muted rounded-full h-1.5">
-              <div
-                className="bg-primary h-1.5 rounded-full transition-all duration-300"
-                style={{ width: `${updateProgress.percentage}%` }}
-              />
-            </div>
-          </div>
-        )}
-
-        {!updateReady && showOtherStageProgress && (
-          <div className="mt-2 space-y-1">
-            <div className="w-full bg-muted rounded-full h-1.5">
-              <div
-                className={`h-1.5 rounded-full transition-all duration-500 ${
-                  updateProgress.stage === "completed"
-                    ? "bg-green-500 w-full"
-                    : "bg-primary w-full animate-pulse"
-                }`}
-              />
-            </div>
-          </div>
-        )}
-
-        {updateReady ? (
-          <div className="flex gap-2 items-center mt-3">
+        <div className="flex gap-2 items-center mt-3">
+          {updateReady ? (
            <RippleButton
              onClick={() => void handleRestartClick()}
              size="sm"
@@ -194,40 +71,27 @@ export function AppUpdateToast({
              <LuCheckCheck className="w-3 h-3" />
              Restart Now
            </RippleButton>
-          </div>
-        ) : (
-          !isUpdating && (
-            <div className="flex gap-2 items-center mt-3">
-              {updateInfo.manual_update_required ? (
-                <RippleButton
-                  onClick={handleViewRelease}
-                  size="sm"
-                  className="flex gap-2 items-center text-xs"
-                >
-                  <FaExternalLinkAlt className="w-3 h-3" />
-                  View Release
-                </RippleButton>
-              ) : (
-                <RippleButton
-                  onClick={() => void handleUpdateClick()}
-                  size="sm"
-                  className="flex gap-2 items-center text-xs"
-                >
-                  <FaDownload className="w-3 h-3" />
-                  Download Update
-                </RippleButton>
-              )}
+          ) : (
+            updateInfo.manual_update_required && (
              <RippleButton
-                variant="outline"
-                onClick={onDismiss}
+                onClick={handleViewRelease}
                size="sm"
-                className="text-xs"
+                className="flex gap-2 items-center text-xs"
              >
-                Later
+                <FaExternalLinkAlt className="w-3 h-3" />
+                View Release
              </RippleButton>
-            </div>
-          )
-        )}
+            )
+          )}
+          <RippleButton
+            variant="outline"
+            onClick={onDismiss}
+            size="sm"
+            className="text-xs"
+          >
+            Later
+          </RippleButton>
+        </div>
      </div>
    </div>
  );
@@ -163,6 +163,7 @@ export function CamoufoxConfigDialog({
                forceAdvanced={true}
                readOnly={isRunning}
                crossOsUnlocked={crossOsUnlocked}
+                limitedMode={!crossOsUnlocked}
              />
            ) : (
              <SharedCamoufoxConfigForm
@@ -172,6 +173,7 @@ export function CamoufoxConfigDialog({
                readOnly={isRunning}
                browserType="camoufox"
                crossOsUnlocked={crossOsUnlocked}
+                limitedMode={!crossOsUnlocked}
              />
            )}
          </div>
@@ -0,0 +1,109 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import * as React from "react";
+import { useTranslation } from "react-i18next";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { showErrorToast } from "@/lib/toast-utils";
+import type { BrowserProfile } from "@/types";
+import { LoadingButton } from "./loading-button";
+import { RippleButton } from "./ui/ripple";
+
+interface CloneProfileDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  profile: BrowserProfile | null;
+  onCloneComplete?: () => void;
+}
+
+export function CloneProfileDialog({
+  isOpen,
+  onClose,
+  profile,
+  onCloneComplete,
+}: CloneProfileDialogProps) {
+  const { t } = useTranslation();
+  const [name, setName] = React.useState("");
+  const [isLoading, setIsLoading] = React.useState(false);
+  const inputRef = React.useRef<HTMLInputElement>(null);
+
+  React.useEffect(() => {
+    if (isOpen && profile) {
+      const defaultName = `${profile.name} (Copy)`;
+      setName(defaultName);
+      setTimeout(() => {
+        inputRef.current?.focus();
+        inputRef.current?.select();
+      }, 0);
+    } else {
+      setIsLoading(false);
+    }
+  }, [isOpen, profile]);
+
+  if (!profile) return null;
+
+  const handleClone = async () => {
+    if (!name.trim() || isLoading) return;
+    setIsLoading(true);
+    try {
+      await invoke<BrowserProfile>("clone_profile", {
+        profileId: profile.id,
+        name: name.trim(),
+      });
+      onClose();
+      onCloneComplete?.();
+    } catch (err: unknown) {
+      const errorMessage = err instanceof Error ? err.message : String(err);
+      showErrorToast(`Failed to clone profile: ${errorMessage}`);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>{t("profileInfo.clone.title")}</DialogTitle>
+          <DialogDescription>
+            {t("profileInfo.clone.description")}
+          </DialogDescription>
+        </DialogHeader>
+        <Input
+          ref={inputRef}
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          onKeyDown={(e) => {
+            if (e.key === "Enter") void handleClone();
+          }}
+          placeholder={t("profileInfo.clone.namePlaceholder")}
+          disabled={isLoading}
+        />
+        <DialogFooter>
+          <RippleButton
+            variant="outline"
+            onClick={onClose}
+            disabled={isLoading}
+          >
+            {t("common.buttons.cancel")}
+          </RippleButton>
+          <LoadingButton
+            onClick={() => void handleClone()}
+            isLoading={isLoading}
+            disabled={!name.trim()}
+          >
+            {t("profileInfo.clone.button")}
+          </LoadingButton>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
@@ -0,0 +1,649 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import { save } from "@tauri-apps/plugin-dialog";
+import { writeTextFile } from "@tauri-apps/plugin-fs";
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { LuChevronDown, LuChevronRight, LuUpload } from "react-icons/lu";
+import { toast } from "sonner";
+import { LoadingButton } from "@/components/loading-button";
+import { Checkbox } from "@/components/ui/checkbox";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Label } from "@/components/ui/label";
+import { RippleButton } from "@/components/ui/ripple";
+import { ScrollArea } from "@/components/ui/scroll-area";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
+import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs";
+import type {
+  BrowserProfile,
+  CookieReadResult,
+  DomainCookies,
+  UnifiedCookie,
+} from "@/types";
+
+interface CookieImportResult {
+  cookies_imported: number;
+  cookies_replaced: number;
+  errors: string[];
+}
+
+interface CookieManagementDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  profile: BrowserProfile | null;
+  initialTab?: "import" | "export";
+}
+
+type SelectionState = {
+  [domain: string]: {
+    allSelected: boolean;
+    cookies: Set<string>;
+  };
+};
+
+const countCookies = (content: string): number => {
+  const trimmed = content.trim();
+  if (trimmed.startsWith("[")) {
+    try {
+      const arr = JSON.parse(trimmed);
+      if (Array.isArray(arr)) return arr.length;
+    } catch {
+      // Fall through to Netscape counting
+    }
+  }
+  return content.split("\n").filter((line) => {
+    const l = line.trim();
+    return l && !l.startsWith("#");
+  }).length;
+};
+
+function formatJsonCookies(cookies: UnifiedCookie[]): string {
+  const arr = cookies.map((c) => {
+    const sameSite =
+      c.same_site === 1
+        ? "lax"
+        : c.same_site === 2
+          ? "strict"
+          : "no_restriction";
+    return {
+      name: c.name,
+      value: c.value,
+      domain: c.domain,
+      path: c.path,
+      secure: c.is_secure,
+      httpOnly: c.is_http_only,
+      sameSite,
+      expirationDate: c.expires,
+      session: c.expires === 0,
+      hostOnly: !c.domain.startsWith("."),
+    };
+  });
+  return JSON.stringify(arr, null, 2);
+}
+
+function formatNetscapeCookies(cookies: UnifiedCookie[]): string {
+  const lines = ["# Netscape HTTP Cookie File"];
+  for (const c of cookies) {
+    const flag = c.domain.startsWith(".") ? "TRUE" : "FALSE";
+    const secure = c.is_secure ? "TRUE" : "FALSE";
+    lines.push(
+      `${c.domain}\t${flag}\t${c.path}\t${secure}\t${c.expires}\t${c.name}\t${c.value}`,
+    );
+  }
+  return lines.join("\n");
+}
+
+function initSelectionFromCookieData(data: CookieReadResult): SelectionState {
+  const sel: SelectionState = {};
+  for (const d of data.domains) {
+    sel[d.domain] = {
+      allSelected: true,
+      cookies: new Set(d.cookies.map((c) => c.name)),
+    };
+  }
+  return sel;
+}
+
+export function CookieManagementDialog({
+  isOpen,
+  onClose,
+  profile,
+  initialTab = "import",
+}: CookieManagementDialogProps) {
+  // Import state
+  const [fileContent, setFileContent] = useState<string | null>(null);
+  const [fileName, setFileName] = useState<string | null>(null);
+  const [cookieCount, setCookieCount] = useState(0);
+  const [isImporting, setIsImporting] = useState(false);
+  const [importResult, setImportResult] = useState<CookieImportResult | null>(
+    null,
+  );
+
+  // Export state
+  const [format, setFormat] = useState<"netscape" | "json">("json");
+  const [isExporting, setIsExporting] = useState(false);
+  const [exportCookieData, setExportCookieData] =
+    useState<CookieReadResult | null>(null);
+  const [isLoadingExportCookies, setIsLoadingExportCookies] = useState(false);
+  const [exportSelection, setExportSelection] = useState<SelectionState>({});
+  const [expandedDomains, setExpandedDomains] = useState<Set<string>>(
+    new Set(),
+  );
+  const [activeTab, setActiveTab] = useState<string>(initialTab);
+
+  const selectedExportCount = useMemo(() => {
+    let count = 0;
+    for (const domain of Object.keys(exportSelection)) {
+      const ds = exportSelection[domain];
+      if (ds.allSelected) {
+        const domainData = exportCookieData?.domains.find(
+          (d) => d.domain === domain,
+        );
+        count += domainData?.cookie_count || 0;
+      } else {
+        count += ds.cookies.size;
+      }
+    }
+    return count;
+  }, [exportSelection, exportCookieData]);
+
+  const loadExportCookies = useCallback(
+    async (profileId: string) => {
+      if (exportCookieData) return;
+      setIsLoadingExportCookies(true);
+      try {
+        const result = await invoke<CookieReadResult>("read_profile_cookies", {
+          profileId,
+        });
+        setExportCookieData(result);
+        setExportSelection(initSelectionFromCookieData(result));
+      } catch (err) {
+        toast.error(
+          `Failed to load cookies: ${err instanceof Error ? err.message : String(err)}`,
+        );
+      } finally {
+        setIsLoadingExportCookies(false);
+      }
+    },
+    [exportCookieData],
+  );
+
+  useEffect(() => {
+    if (activeTab === "export" && profile && !exportCookieData) {
+      void loadExportCookies(profile.id);
+    }
+  }, [activeTab, profile, exportCookieData, loadExportCookies]);
+
+  const resetImportState = useCallback(() => {
+    setFileContent(null);
+    setFileName(null);
+    setCookieCount(0);
+    setIsImporting(false);
+    setImportResult(null);
+  }, []);
+
+  const resetExportState = useCallback(() => {
+    setFormat("json");
+    setIsExporting(false);
+    setExportCookieData(null);
+    setExportSelection({});
+    setExpandedDomains(new Set());
+  }, []);
+
+  const handleClose = useCallback(() => {
+    resetImportState();
+    resetExportState();
+    setActiveTab(initialTab);
+    onClose();
+  }, [resetImportState, resetExportState, onClose, initialTab]);
+
+  const handleTabChange = useCallback(
+    (tab: string) => {
+      setActiveTab(tab);
+      resetImportState();
+      if (tab !== "export") {
+        resetExportState();
+      }
+    },
+    [resetImportState, resetExportState],
+  );
+
+  const handleFileRead = useCallback((file: File) => {
+    const reader = new FileReader();
+    reader.onload = (e) => {
+      const content = e.target?.result as string;
+      setFileContent(content);
+      setFileName(file.name);
+      setCookieCount(countCookies(content));
+    };
+    reader.onerror = () => {
+      toast.error("Failed to read file");
+    };
+    reader.readAsText(file);
+  }, []);
+
+  const handleImport = useCallback(async () => {
+    if (!fileContent || !profile) return;
+    setIsImporting(true);
+    try {
+      const result = await invoke<CookieImportResult>(
+        "import_cookies_from_file",
+        {
+          profileId: profile.id,
+          content: fileContent,
+        },
+      );
+      setImportResult(result);
+    } catch (error) {
+      toast.error(error instanceof Error ? error.message : String(error));
+    } finally {
+      setIsImporting(false);
+    }
+  }, [fileContent, profile]);
+
+  const getSelectedCookies = useCallback((): UnifiedCookie[] => {
+    if (!exportCookieData) return [];
+    const result: UnifiedCookie[] = [];
+    for (const domain of exportCookieData.domains) {
+      const ds = exportSelection[domain.domain];
+      if (!ds) continue;
+      if (ds.allSelected) {
+        result.push(...domain.cookies);
+      } else {
+        result.push(...domain.cookies.filter((c) => ds.cookies.has(c.name)));
+      }
+    }
+    return result;
+  }, [exportCookieData, exportSelection]);
+
+  const handleExport = useCallback(async () => {
+    if (!profile) return;
+    setIsExporting(true);
+    try {
+      const cookies = getSelectedCookies();
+      const content =
+        format === "json"
+          ? formatJsonCookies(cookies)
+          : formatNetscapeCookies(cookies);
+
+      const ext = format === "json" ? "json" : "txt";
+      const defaultName = `${profile.name}_cookies.${ext}`;
+
+      const filePath = await save({
+        defaultPath: defaultName,
+        filters: [
+          {
+            name: format === "json" ? "JSON" : "Text",
+            extensions: [ext],
+          },
+        ],
+      });
+
+      if (!filePath) {
+        setIsExporting(false);
+        return;
+      }
+
+      await writeTextFile(filePath, content);
+      toast.success("Cookies exported successfully");
+      handleClose();
+    } catch (error) {
+      toast.error(error instanceof Error ? error.message : String(error));
+    } finally {
+      setIsExporting(false);
+    }
+  }, [profile, format, getSelectedCookies, handleClose]);
+
+  const toggleDomain = useCallback(
+    (domain: string, cookies: UnifiedCookie[]) => {
+      setExportSelection((prev) => {
+        const current = prev[domain];
+        if (current?.allSelected) {
+          const next = { ...prev };
+          delete next[domain];
+          return next;
+        }
+        return {
+          ...prev,
+          [domain]: {
+            allSelected: true,
+            cookies: new Set(cookies.map((c) => c.name)),
+          },
+        };
+      });
+    },
+    [],
+  );
+
+  const toggleCookie = useCallback(
+    (domain: string, cookieName: string, totalCookies: number) => {
+      setExportSelection((prev) => {
+        const current = prev[domain] || {
+          allSelected: false,
+          cookies: new Set<string>(),
+        };
+        const newCookies = new Set(current.cookies);
+        if (newCookies.has(cookieName)) {
+          newCookies.delete(cookieName);
+        } else {
+          newCookies.add(cookieName);
+        }
+        if (newCookies.size === 0) {
+          const next = { ...prev };
+          delete next[domain];
+          return next;
+        }
+        return {
+          ...prev,
+          [domain]: {
+            allSelected: newCookies.size === totalCookies,
+            cookies: newCookies,
+          },
+        };
+      });
+    },
+    [],
+  );
+
+  const toggleExpand = useCallback((domain: string) => {
+    setExpandedDomains((prev) => {
+      const next = new Set(prev);
+      if (next.has(domain)) {
+        next.delete(domain);
+      } else {
+        next.add(domain);
+      }
+      return next;
+    });
+  }, []);
+
+  const toggleSelectAll = useCallback(() => {
+    if (!exportCookieData) return;
+    if (selectedExportCount === exportCookieData.total_count) {
+      setExportSelection({});
+    } else {
+      setExportSelection(initSelectionFromCookieData(exportCookieData));
+    }
+  }, [exportCookieData, selectedExportCount]);
+
+  return (
+    <Dialog open={isOpen} onOpenChange={handleClose}>
+      <DialogContent className="max-w-lg">
+        <DialogHeader>
+          <DialogTitle>Cookie Management</DialogTitle>
+        </DialogHeader>
+
+        <Tabs
+          defaultValue={initialTab}
+          onValueChange={handleTabChange}
+          className="w-full"
+        >
+          <TabsList className="grid w-full grid-cols-2">
+            <TabsTrigger value="import">Import</TabsTrigger>
+            <TabsTrigger value="export">Export</TabsTrigger>
+          </TabsList>
+
+          <TabsContent value="import" className="space-y-4 mt-4">
+            {!fileContent && (
+              <div className="space-y-4">
+                <p className="text-sm text-muted-foreground">
+                  Import cookies from a Netscape or JSON format file.
+                </p>
+                <div
+                  role="button"
+                  tabIndex={0}
+                  className="flex flex-col items-center justify-center border-2 border-dashed rounded-lg p-8 transition-colors cursor-pointer border-muted-foreground/25 hover:border-muted-foreground/50"
+                  onClick={() =>
+                    document.getElementById("cookie-file-input")?.click()
+                  }
+                  onKeyDown={(e) => {
+                    if (e.key === "Enter" || e.key === " ") {
+                      e.preventDefault();
+                      document.getElementById("cookie-file-input")?.click();
+                    }
+                  }}
+                >
+                  <LuUpload className="w-10 h-10 text-muted-foreground mb-4" />
+                  <p className="text-sm text-muted-foreground text-center">
+                    Click to choose a cookie file
+                    <br />
+                    <span className="text-xs">(.txt, .cookies, or .json)</span>
+                  </p>
+                  <input
+                    id="cookie-file-input"
+                    type="file"
+                    accept=".txt,.cookies,.json"
+                    className="hidden"
+                    onChange={(e) => {
+                      const file = e.target.files?.[0];
+                      if (file) handleFileRead(file);
+                      e.target.value = "";
+                    }}
+                  />
+                </div>
+              </div>
+            )}
+
+            {fileContent && !importResult && (
+              <div className="space-y-4">
+                <div className="flex items-center gap-3 p-4 bg-muted/30 rounded-lg">
+                  <div>
+                    <div className="font-medium">{fileName}</div>
+                    <div className="text-sm text-muted-foreground">
+                      {cookieCount} cookies found
+                    </div>
+                  </div>
+                </div>
+                <div className="flex justify-end gap-2">
+                  <RippleButton variant="outline" onClick={resetImportState}>
+                    Back
+                  </RippleButton>
+                  <LoadingButton
+                    isLoading={isImporting}
+                    onClick={() => void handleImport()}
+                    disabled={cookieCount === 0}
+                  >
+                    Import
+                  </LoadingButton>
+                </div>
+              </div>
+            )}
+
+            {importResult && (
+              <div className="space-y-4">
+                <div className="p-4 rounded-lg bg-green-500/10">
+                  <div className="font-medium text-green-600 dark:text-green-400">
+                    Successfully imported {importResult.cookies_imported}{" "}
+                    cookies ({importResult.cookies_replaced} replaced)
+                  </div>
+                  {importResult.errors.length > 0 && (
+                    <div className="mt-2 text-sm text-muted-foreground">
+                      {importResult.errors.length} line(s) skipped
+                    </div>
+                  )}
+                </div>
+                <div className="flex justify-end">
+                  <RippleButton onClick={handleClose}>Done</RippleButton>
+                </div>
+              </div>
+            )}
+          </TabsContent>
+
+          <TabsContent value="export" className="space-y-3 mt-4">
+            <div className="space-y-2">
+              <Label>Format</Label>
+              <Select
+                value={format}
+                onValueChange={(v) => setFormat(v as "netscape" | "json")}
+              >
+                <SelectTrigger>
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="json">JSON</SelectItem>
+                  <SelectItem value="netscape">Netscape TXT</SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+
+            <div className="space-y-2">
+              <div className="flex items-center justify-between">
+                <Label>
+                  Cookies{" "}
+                  {exportCookieData && (
+                    <span className="text-muted-foreground font-normal">
+                      ({selectedExportCount} of {exportCookieData.total_count}{" "}
+                      selected)
+                    </span>
+                  )}
+                </Label>
+                {exportCookieData && exportCookieData.total_count > 0 && (
+                  <button
+                    type="button"
+                    className="text-xs text-muted-foreground hover:text-foreground transition-colors"
+                    onClick={toggleSelectAll}
+                  >
+                    {selectedExportCount === exportCookieData.total_count
+                      ? "Deselect all"
+                      : "Select all"}
+                  </button>
+                )}
+              </div>
+
+              {isLoadingExportCookies ? (
+                <div className="flex items-center justify-center h-24">
+                  <div className="animate-spin h-5 w-5 border-2 border-primary border-t-transparent rounded-full" />
+                </div>
+              ) : !exportCookieData || exportCookieData.domains.length === 0 ? (
+                <div className="p-4 text-center text-sm text-muted-foreground border rounded-md">
+                  No cookies found in this profile
+                </div>
+              ) : (
+                <ScrollArea className="h-[200px] border rounded-md">
+                  <div className="p-2 space-y-1">
+                    {exportCookieData.domains.map((domain) => (
+                      <ExportDomainRow
+                        key={domain.domain}
+                        domain={domain}
+                        selection={exportSelection}
+                        isExpanded={expandedDomains.has(domain.domain)}
+                        onToggleDomain={toggleDomain}
+                        onToggleCookie={toggleCookie}
+                        onToggleExpand={toggleExpand}
+                      />
+                    ))}
+                  </div>
+                </ScrollArea>
+              )}
+            </div>
+
+            <div className="flex justify-end gap-2">
+              <RippleButton variant="outline" onClick={handleClose}>
+                Cancel
+              </RippleButton>
+              <LoadingButton
+                isLoading={isExporting}
+                onClick={() => void handleExport()}
+                disabled={selectedExportCount === 0}
+              >
+                Export
+              </LoadingButton>
+            </div>
+          </TabsContent>
+        </Tabs>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+interface ExportDomainRowProps {
+  domain: DomainCookies;
+  selection: SelectionState;
+  isExpanded: boolean;
+  onToggleDomain: (domain: string, cookies: UnifiedCookie[]) => void;
+  onToggleCookie: (
+    domain: string,
+    cookieName: string,
+    totalCookies: number,
+  ) => void;
+  onToggleExpand: (domain: string) => void;
+}
+
+function ExportDomainRow({
+  domain,
+  selection,
+  isExpanded,
+  onToggleDomain,
+  onToggleCookie,
+  onToggleExpand,
+}: ExportDomainRowProps) {
+  const domainSelection = selection[domain.domain];
+  const isAllSelected = domainSelection?.allSelected || false;
+  const selectedCount = domainSelection?.cookies.size || 0;
+  const isPartial =
+    selectedCount > 0 && selectedCount < domain.cookie_count && !isAllSelected;
+
+  return (
+    <div>
+      <div className="flex items-center gap-2 p-1.5 hover:bg-accent/50 rounded">
+        <Checkbox
+          checked={isAllSelected || isPartial}
+          onCheckedChange={() => onToggleDomain(domain.domain, domain.cookies)}
+          className={isPartial ? "opacity-70" : ""}
+        />
+        <button
+          type="button"
+          className="flex items-center gap-1 flex-1 text-left text-sm bg-transparent border-none cursor-pointer"
+          onClick={() => onToggleExpand(domain.domain)}
+        >
+          {isExpanded ? (
+            <LuChevronDown className="w-3.5 h-3.5" />
+          ) : (
+            <LuChevronRight className="w-3.5 h-3.5" />
+          )}
+          <span className="font-medium truncate">{domain.domain}</span>
+          <span className="text-xs text-muted-foreground shrink-0">
+            ({domain.cookie_count})
+          </span>
+        </button>
+      </div>
+      {isExpanded && (
+        <div className="ml-7 pl-2 border-l space-y-0.5">
+          {domain.cookies.map((cookie) => {
+            const isSelected =
+              domainSelection?.cookies.has(cookie.name) || false;
+            return (
+              <div
+                key={`${domain.domain}-${cookie.name}`}
+                className="flex items-center gap-2 p-1 text-sm hover:bg-accent/30 rounded"
+              >
+                <Checkbox
+                  checked={isSelected || isAllSelected}
+                  onCheckedChange={() =>
+                    onToggleCookie(
+                      domain.domain,
+                      cookie.name,
+                      domain.cookie_count,
+                    )
+                  }
+                />
+                <span className="truncate">{cookie.name}</span>
+              </div>
+            );
+          })}
+        </div>
+      )}
+    </div>
+  );
+}
@@ -2,11 +2,13 @@

 import { invoke } from "@tauri-apps/api/core";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { useTranslation } from "react-i18next";
 import { GoPlus } from "react-icons/go";
 import { LoadingButton } from "@/components/loading-button";
 import { ProxyFormDialog } from "@/components/proxy-form-dialog";
 import { SharedCamoufoxConfigForm } from "@/components/shared-camoufox-config-form";
 import { Button } from "@/components/ui/button";
+import { Checkbox } from "@/components/ui/checkbox";
 import {
  Dialog,
  DialogContent,
@@ -20,15 +22,17 @@ import { ScrollArea } from "@/components/ui/scroll-area";
 import {
  Select,
  SelectContent,
+  SelectGroup,
  SelectItem,
+  SelectLabel,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { Tabs, TabsContent } from "@/components/ui/tabs";
 import { WayfernConfigForm } from "@/components/wayfern-config-form";
-
 import { useBrowserDownload } from "@/hooks/use-browser-download";
 import { useProxyEvents } from "@/hooks/use-proxy-events";
+import { useVpnEvents } from "@/hooks/use-vpn-events";
 import { getBrowserIcon } from "@/lib/browser-utils";
 import type {
  BrowserReleaseTypes,
@@ -66,9 +70,12 @@ interface CreateProfileDialogProps {
    version: string;
    releaseType: string;
    proxyId?: string;
+    vpnId?: string;
    camoufoxConfig?: CamoufoxConfig;
    wayfernConfig?: WayfernConfig;
    groupId?: string;
+    extensionGroupId?: string;
+    ephemeral?: boolean;
  }) => Promise<void>;
  selectedGroupId?: string;
  crossOsUnlocked?: boolean;
@@ -109,6 +116,7 @@ export function CreateProfileDialog({
  selectedGroupId,
  crossOsUnlocked = false,
 }: CreateProfileDialogProps) {
+  const { t } = useTranslation();
  const [profileName, setProfileName] = useState("");
  const [currentStep, setCurrentStep] = useState<
    "browser-selection" | "browser-config"
@@ -155,8 +163,25 @@ export function CreateProfileDialog({

  const [supportedBrowsers, setSupportedBrowsers] = useState<string[]>([]);
  const { storedProxies } = useProxyEvents();
+  const { vpnConfigs } = useVpnEvents();
  const [showProxyForm, setShowProxyForm] = useState(false);
  const [isCreating, setIsCreating] = useState(false);
+  const [ephemeral, setEphemeral] = useState(false);
+  const [selectedExtensionGroupId, setSelectedExtensionGroupId] =
+    useState<string>();
+  const [extensionGroups, setExtensionGroups] = useState<
+    { id: string; name: string; extension_ids: string[] }[]
+  >([]);
+
+  useEffect(() => {
+    if (isOpen) {
+      invoke<{ id: string; name: string; extension_ids: string[] }[]>(
+        "list_extension_groups",
+      )
+        .then(setExtensionGroups)
+        .catch(() => setExtensionGroups([]));
+    }
+  }, [isOpen]);
  const [releaseTypes, setReleaseTypes] = useState<BrowserReleaseTypes>();
  const [isLoadingReleaseTypes, setIsLoadingReleaseTypes] = useState(false);
  const [releaseTypesError, setReleaseTypesError] = useState<string | null>(
@@ -170,6 +195,7 @@ export function CreateProfileDialog({
    downloadBrowser,
    loadDownloadedVersions,
    isVersionDownloaded,
+    downloadedVersionsMap,
  } = useBrowserDownload();

  const loadSupportedBrowsers = useCallback(async () => {
@@ -328,6 +354,27 @@ export function CreateProfileDialog({
    [releaseTypes],
  );

+  const getCreatableVersion = useCallback(
+    (browserType?: string) => {
+      const bestVersion = getBestAvailableVersion(browserType);
+      if (bestVersion && isVersionDownloaded(bestVersion.version)) {
+        return bestVersion;
+      }
+      const browserDownloaded = downloadedVersionsMap[browserType ?? ""] ?? [];
+      if (browserDownloaded.length > 0) {
+        const fallbackVersion = browserDownloaded[0];
+        const releaseType =
+          browserType === "firefox-developer" ? "nightly" : "stable";
+        return {
+          version: fallbackVersion,
+          releaseType: releaseType as "stable" | "nightly",
+        };
+      }
+      return null;
+    },
+    [getBestAvailableVersion, isVersionDownloaded, downloadedVersionsMap],
+  );
+
  const handleDownload = async (browserStr: string) => {
    const bestVersion = getBestAvailableVersion(browserStr);

@@ -347,11 +394,16 @@ export function CreateProfileDialog({
    if (!profileName.trim()) return;

    setIsCreating(true);
+
+    const isVpnSelection = selectedProxyId?.startsWith("vpn-") ?? false;
+    const resolvedProxyId = isVpnSelection ? undefined : selectedProxyId;
+    const resolvedVpnId =
+      isVpnSelection && selectedProxyId ? selectedProxyId.slice(4) : undefined;
    try {
      if (activeTab === "anti-detect") {
        // Anti-detect browser - check if Wayfern or Camoufox is selected
        if (selectedBrowser === "wayfern") {
-          const bestWayfernVersion = getBestAvailableVersion("wayfern");
+          const bestWayfernVersion = getCreatableVersion("wayfern");
          if (!bestWayfernVersion) {
            console.error("No Wayfern version available");
            return;
@@ -365,14 +417,17 @@ export function CreateProfileDialog({
            browserStr: "wayfern" as BrowserTypeString,
            version: bestWayfernVersion.version,
            releaseType: bestWayfernVersion.releaseType,
-            proxyId: selectedProxyId,
+            proxyId: resolvedProxyId,
+            vpnId: resolvedVpnId,
            wayfernConfig: finalWayfernConfig,
            groupId:
              selectedGroupId !== "default" ? selectedGroupId : undefined,
+            extensionGroupId: selectedExtensionGroupId,
+            ephemeral,
          });
        } else {
          // Default to Camoufox
-          const bestCamoufoxVersion = getBestAvailableVersion("camoufox");
+          const bestCamoufoxVersion = getCreatableVersion("camoufox");
          if (!bestCamoufoxVersion) {
            console.error("No Camoufox version available");
            return;
@@ -387,10 +442,13 @@ export function CreateProfileDialog({
            browserStr: "camoufox" as BrowserTypeString,
            version: bestCamoufoxVersion.version,
            releaseType: bestCamoufoxVersion.releaseType,
-            proxyId: selectedProxyId,
+            proxyId: resolvedProxyId,
+            vpnId: resolvedVpnId,
            camoufoxConfig: finalCamoufoxConfig,
            groupId:
              selectedGroupId !== "default" ? selectedGroupId : undefined,
+            extensionGroupId: selectedExtensionGroupId,
+            ephemeral,
          });
        }
      } else {
@@ -401,7 +459,7 @@ export function CreateProfileDialog({
        }

        // Use the best available version (stable preferred, nightly as fallback)
-        const bestVersion = getBestAvailableVersion(selectedBrowser);
+        const bestVersion = getCreatableVersion(selectedBrowser);
        if (!bestVersion) {
          console.error("No version available");
          return;
@@ -445,6 +503,7 @@ export function CreateProfileDialog({
    setWayfernConfig({
      os: getCurrentOS() as WayfernOS, // Reset to current OS
    });
+    setEphemeral(false);
    onClose();
  };

@@ -477,14 +536,14 @@ export function CreateProfileDialog({
    if (!profileName.trim()) return true;
    if (!selectedBrowser) return true;
    if (isBrowserCurrentlyDownloading(selectedBrowser)) return true;
-    if (!isBrowserVersionAvailable(selectedBrowser)) return true;
+    if (!getCreatableVersion(selectedBrowser)) return true;

    return false;
  }, [
    profileName,
    selectedBrowser,
    isBrowserCurrentlyDownloading,
-    isBrowserVersionAvailable,
+    getCreatableVersion,
  ]);

  // Filter supported browsers for regular browsers
@@ -543,9 +602,7 @@ export function CreateProfileDialog({
                              })()}
                            </div>
                            <div className="text-left">
-                              <div className="font-medium">
-                                Chromium (Wayfern)
-                              </div>
+                              <div className="font-medium">Wayfern</div>
                              <div className="text-sm text-muted-foreground">
                                Anti-Detect Browser
                              </div>
@@ -568,9 +625,7 @@ export function CreateProfileDialog({
                              })()}
                            </div>
                            <div className="text-left">
-                              <div className="font-medium">
-                                Firefox (Camoufox)
-                              </div>
+                              <div className="font-medium">Camoufox</div>
                              <div className="text-sm text-muted-foreground">
                                Anti-Detect Browser
                              </div>
@@ -650,6 +705,28 @@ export function CreateProfileDialog({
                          />
                        </div>

+                        {/* Ephemeral Option */}
+                        <div className="space-y-3 p-4 border rounded-lg bg-muted/30">
+                          <div className="flex items-center space-x-2">
+                            <Checkbox
+                              id="ephemeral"
+                              checked={ephemeral}
+                              onCheckedChange={(checked) =>
+                                setEphemeral(checked === true)
+                              }
+                            />
+                            <Label htmlFor="ephemeral" className="font-medium">
+                              {t("profiles.ephemeral")}
+                            </Label>
+                            <span className="px-1 py-0.5 text-[10px] leading-none rounded bg-muted text-muted-foreground font-medium">
+                              {t("profiles.ephemeralAlpha")}
+                            </span>
+                          </div>
+                          <p className="text-sm text-muted-foreground ml-6">
+                            {t("profiles.ephemeralDescription")}
+                          </p>
+                        </div>
+
                        {selectedBrowser === "wayfern" ? (
                          // Wayfern Configuration
                          <div className="space-y-6">
@@ -745,6 +822,7 @@ export function CreateProfileDialog({
                              onConfigChange={updateWayfernConfig}
                              isCreating
                              crossOsUnlocked={crossOsUnlocked}
+                              limitedMode={!crossOsUnlocked}
                            />
                          </div>
                        ) : selectedBrowser === "camoufox" ? (
@@ -843,6 +921,7 @@ export function CreateProfileDialog({
                              isCreating
                              browserType="camoufox"
                              crossOsUnlocked={crossOsUnlocked}
+                              limitedMode={!crossOsUnlocked}
                            />
                          </div>
                        ) : (
@@ -946,10 +1025,10 @@ export function CreateProfileDialog({
                          </div>
                        )}

-                        {/* Proxy Selection - Always visible */}
+                        {/* Proxy / VPN Selection - Always visible */}
                        <div className="space-y-3">
                          <div className="flex justify-between items-center">
-                            <Label>Proxy</Label>
+                            <Label>Proxy / VPN</Label>
                            <RippleButton
                              size="sm"
                              variant="outline"
@@ -959,7 +1038,7 @@ export function CreateProfileDialog({
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
                            </RippleButton>
                          </div>
-                          {storedProxies.length > 0 ? (
+                          {storedProxies.length > 0 || vpnConfigs.length > 0 ? (
                            <Select
                              value={selectedProxyId || "none"}
                              onValueChange={(value) =>
@@ -969,24 +1048,81 @@ export function CreateProfileDialog({
                              }
                            >
                              <SelectTrigger>
-                                <SelectValue placeholder="No proxy" />
+                                <SelectValue placeholder="No proxy / VPN" />
                              </SelectTrigger>
                              <SelectContent>
-                                <SelectItem value="none">No proxy</SelectItem>
-                                {storedProxies.map((proxy) => (
-                                  <SelectItem key={proxy.id} value={proxy.id}>
-                                    {proxy.name}
-                                  </SelectItem>
-                                ))}
+                                <SelectItem value="none">
+                                  No proxy / VPN
+                                </SelectItem>
+                                {storedProxies.length > 0 && (
+                                  <SelectGroup>
+                                    <SelectLabel>Proxies</SelectLabel>
+                                    {storedProxies.map((proxy) => (
+                                      <SelectItem
+                                        key={proxy.id}
+                                        value={proxy.id}
+                                      >
+                                        {proxy.name}
+                                      </SelectItem>
+                                    ))}
+                                  </SelectGroup>
+                                )}
+                                {vpnConfigs.length > 0 && (
+                                  <SelectGroup>
+                                    <SelectLabel>VPNs</SelectLabel>
+                                    {vpnConfigs.map((vpn) => (
+                                      <SelectItem
+                                        key={vpn.id}
+                                        value={`vpn-${vpn.id}`}
+                                      >
+                                        {vpn.vpn_type === "WireGuard"
+                                          ? "WG"
+                                          : "OVPN"}{" "}
+                                        — {vpn.name}
+                                      </SelectItem>
+                                    ))}
+                                  </SelectGroup>
+                                )}
                              </SelectContent>
                            </Select>
                          ) : (
                            <div className="flex gap-3 items-center p-3 text-sm rounded-md border text-muted-foreground">
-                              No proxies available. Add one to route this
-                              profile's traffic.
+                              No proxies or VPNs available. Add one to route
+                              this profile's traffic.
                            </div>
                          )}
                        </div>
+
+                        {/* Extension Group */}
+                        {extensionGroups.length > 0 && (
+                          <div className="space-y-2">
+                            <Label>{t("extensions.extensionGroup")}</Label>
+                            <Select
+                              value={selectedExtensionGroupId || "none"}
+                              onValueChange={(val) =>
+                                setSelectedExtensionGroupId(
+                                  val === "none" ? undefined : val,
+                                )
+                              }
+                            >
+                              <SelectTrigger>
+                                <SelectValue
+                                  placeholder={t("profileInfo.values.none")}
+                                />
+                              </SelectTrigger>
+                              <SelectContent>
+                                <SelectItem value="none">
+                                  {t("profileInfo.values.none")}
+                                </SelectItem>
+                                {extensionGroups.map((g) => (
+                                  <SelectItem key={g.id} value={g.id}>
+                                    {g.name} ({g.extension_ids.length})
+                                  </SelectItem>
+                                ))}
+                              </SelectContent>
+                            </Select>
+                          </div>
+                        )}
                      </div>
                    </TabsContent>

@@ -1107,10 +1243,10 @@ export function CreateProfileDialog({
                          )}
                        </div>

-                        {/* Proxy Selection - Always visible */}
+                        {/* Proxy / VPN Selection - Always visible */}
                        <div className="space-y-3">
                          <div className="flex justify-between items-center">
-                            <Label>Proxy</Label>
+                            <Label>Proxy / VPN</Label>
                            <RippleButton
                              size="sm"
                              variant="outline"
@@ -1120,7 +1256,7 @@ export function CreateProfileDialog({
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
                            </RippleButton>
                          </div>
-                          {storedProxies.length > 0 ? (
+                          {storedProxies.length > 0 || vpnConfigs.length > 0 ? (
                            <Select
                              value={selectedProxyId || "none"}
                              onValueChange={(value) =>
@@ -1130,21 +1266,47 @@ export function CreateProfileDialog({
                              }
                            >
                              <SelectTrigger>
-                                <SelectValue placeholder="No proxy" />
+                                <SelectValue placeholder="No proxy / VPN" />
                              </SelectTrigger>
                              <SelectContent>
-                                <SelectItem value="none">No proxy</SelectItem>
-                                {storedProxies.map((proxy) => (
-                                  <SelectItem key={proxy.id} value={proxy.id}>
-                                    {proxy.name}
-                                  </SelectItem>
-                                ))}
+                                <SelectItem value="none">
+                                  No proxy / VPN
+                                </SelectItem>
+                                {storedProxies.length > 0 && (
+                                  <SelectGroup>
+                                    <SelectLabel>Proxies</SelectLabel>
+                                    {storedProxies.map((proxy) => (
+                                      <SelectItem
+                                        key={proxy.id}
+                                        value={proxy.id}
+                                      >
+                                        {proxy.name}
+                                      </SelectItem>
+                                    ))}
+                                  </SelectGroup>
+                                )}
+                                {vpnConfigs.length > 0 && (
+                                  <SelectGroup>
+                                    <SelectLabel>VPNs</SelectLabel>
+                                    {vpnConfigs.map((vpn) => (
+                                      <SelectItem
+                                        key={vpn.id}
+                                        value={`vpn-${vpn.id}`}
+                                      >
+                                        {vpn.vpn_type === "WireGuard"
+                                          ? "WG"
+                                          : "OVPN"}{" "}
+                                        — {vpn.name}
+                                      </SelectItem>
+                                    ))}
+                                  </SelectGroup>
+                                )}
                              </SelectContent>
                            </Select>
                          ) : (
                            <div className="flex gap-3 items-center p-3 text-sm rounded-md border text-muted-foreground">
-                              No proxies available. Add one to route this
-                              profile's traffic.
+                              No proxies or VPNs available. Add one to route
+                              this profile's traffic.
                            </div>
                          )}
                        </div>
@@ -0,0 +1,716 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import { useCallback, useEffect, useState } from "react";
+import { useTranslation } from "react-i18next";
+import { GoPlus } from "react-icons/go";
+import { LuPencil, LuPuzzle, LuTrash2, LuUpload } from "react-icons/lu";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { ProBadge } from "@/components/ui/pro-badge";
+import { ScrollArea } from "@/components/ui/scroll-area";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "@/components/ui/table";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from "@/components/ui/tooltip";
+import { showErrorToast, showSuccessToast } from "@/lib/toast-utils";
+import type { Extension, ExtensionGroup } from "@/types";
+import { DeleteConfirmationDialog } from "./delete-confirmation-dialog";
+import { RippleButton } from "./ui/ripple";
+
+interface ExtensionManagementDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  limitedMode: boolean;
+}
+
+export function ExtensionManagementDialog({
+  isOpen,
+  onClose,
+  limitedMode,
+}: ExtensionManagementDialogProps) {
+  const { t } = useTranslation();
+  const [extensions, setExtensions] = useState<Extension[]>([]);
+  const [extensionGroups, setExtensionGroups] = useState<ExtensionGroup[]>([]);
+  const [isLoading, setIsLoading] = useState(false);
+
+  // Extension upload state
+  const [isUploading, setIsUploading] = useState(false);
+  const [extensionName, setExtensionName] = useState("");
+  const [showUploadForm, setShowUploadForm] = useState(false);
+  const [pendingFile, setPendingFile] = useState<{
+    name: string;
+    data: number[];
+  } | null>(null);
+
+  // Group state
+  const [showCreateGroup, setShowCreateGroup] = useState(false);
+  const [newGroupName, setNewGroupName] = useState("");
+  const [editingGroup, setEditingGroup] = useState<ExtensionGroup | null>(null);
+  const [editGroupName, setEditGroupName] = useState("");
+
+  // Delete state
+  const [extensionToDelete, setExtensionToDelete] = useState<Extension | null>(
+    null,
+  );
+  const [groupToDelete, setGroupToDelete] = useState<ExtensionGroup | null>(
+    null,
+  );
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  // Tab
+  const [activeTab, setActiveTab] = useState<"extensions" | "groups">(
+    "extensions",
+  );
+
+  const loadData = useCallback(async () => {
+    if (limitedMode) return;
+    setIsLoading(true);
+    try {
+      const [exts, groups] = await Promise.all([
+        invoke<Extension[]>("list_extensions"),
+        invoke<ExtensionGroup[]>("list_extension_groups"),
+      ]);
+      setExtensions(exts);
+      setExtensionGroups(groups);
+    } catch {
+      // User may not have pro subscription
+      setExtensions([]);
+      setExtensionGroups([]);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [limitedMode]);
+
+  useEffect(() => {
+    if (isOpen) {
+      void loadData();
+    }
+  }, [isOpen, loadData]);
+
+  const handleFileSelect = useCallback(
+    (e: React.ChangeEvent<HTMLInputElement>) => {
+      const file = e.target.files?.[0];
+      if (!file) return;
+
+      const validExtensions = [".xpi", ".crx", ".zip"];
+      const isValid = validExtensions.some((ext) =>
+        file.name.toLowerCase().endsWith(ext),
+      );
+      if (!isValid) {
+        showErrorToast(t("extensions.invalidFileType"));
+        return;
+      }
+
+      const reader = new FileReader();
+      reader.onload = (event) => {
+        const arrayBuffer = event.target?.result as ArrayBuffer;
+        const data = Array.from(new Uint8Array(arrayBuffer));
+        const baseName = file.name
+          .replace(/\.(xpi|crx|zip)$/i, "")
+          .replace(/[-_]/g, " ");
+        setExtensionName(baseName);
+        setPendingFile({ name: file.name, data });
+        setShowUploadForm(true);
+      };
+      reader.onerror = () => {
+        showErrorToast(t("extensions.readError"));
+      };
+      reader.readAsArrayBuffer(file);
+
+      // Reset input
+      e.target.value = "";
+    },
+    [t],
+  );
+
+  const handleUpload = useCallback(async () => {
+    if (!pendingFile || !extensionName.trim()) return;
+    setIsUploading(true);
+    try {
+      await invoke("add_extension", {
+        name: extensionName.trim(),
+        fileName: pendingFile.name,
+        fileData: pendingFile.data,
+      });
+      showSuccessToast(t("extensions.uploadSuccess"));
+      setShowUploadForm(false);
+      setPendingFile(null);
+      setExtensionName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsUploading(false);
+    }
+  }, [pendingFile, extensionName, loadData, t]);
+
+  const handleDeleteExtension = useCallback(async () => {
+    if (!extensionToDelete) return;
+    setIsDeleting(true);
+    try {
+      await invoke("delete_extension", { extensionId: extensionToDelete.id });
+      showSuccessToast(t("extensions.deleteSuccess"));
+      setExtensionToDelete(null);
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsDeleting(false);
+    }
+  }, [extensionToDelete, loadData, t]);
+
+  const handleCreateGroup = useCallback(async () => {
+    if (!newGroupName.trim()) return;
+    try {
+      await invoke("create_extension_group", { name: newGroupName.trim() });
+      showSuccessToast(t("extensions.groupCreateSuccess"));
+      setShowCreateGroup(false);
+      setNewGroupName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    }
+  }, [newGroupName, loadData, t]);
+
+  const handleUpdateGroup = useCallback(async () => {
+    if (!editingGroup || !editGroupName.trim()) return;
+    try {
+      await invoke("update_extension_group", {
+        groupId: editingGroup.id,
+        name: editGroupName.trim(),
+      });
+      showSuccessToast(t("extensions.groupUpdateSuccess"));
+      setEditingGroup(null);
+      setEditGroupName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    }
+  }, [editingGroup, editGroupName, loadData, t]);
+
+  const handleDeleteGroup = useCallback(async () => {
+    if (!groupToDelete) return;
+    setIsDeleting(true);
+    try {
+      await invoke("delete_extension_group", { groupId: groupToDelete.id });
+      showSuccessToast(t("extensions.groupDeleteSuccess"));
+      setGroupToDelete(null);
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsDeleting(false);
+    }
+  }, [groupToDelete, loadData, t]);
+
+  const handleAddToGroup = useCallback(
+    async (groupId: string, extensionId: string) => {
+      try {
+        await invoke("add_extension_to_group", { groupId, extensionId });
+        void loadData();
+      } catch (err) {
+        showErrorToast(err instanceof Error ? err.message : String(err));
+      }
+    },
+    [loadData],
+  );
+
+  const handleRemoveFromGroup = useCallback(
+    async (groupId: string, extensionId: string) => {
+      try {
+        await invoke("remove_extension_from_group", { groupId, extensionId });
+        void loadData();
+      } catch (err) {
+        showErrorToast(err instanceof Error ? err.message : String(err));
+      }
+    },
+    [loadData],
+  );
+
+  const getCompatibilityBadge = (compat: string[]) => {
+    if (compat.includes("chromium") && compat.includes("firefox")) {
+      return (
+        <Badge variant="secondary">{t("extensions.compatibility.both")}</Badge>
+      );
+    }
+    if (compat.includes("chromium")) {
+      return (
+        <Badge variant="secondary">
+          {t("extensions.compatibility.chromium")}
+        </Badge>
+      );
+    }
+    if (compat.includes("firefox")) {
+      return (
+        <Badge variant="secondary">
+          {t("extensions.compatibility.firefox")}
+        </Badge>
+      );
+    }
+    return null;
+  };
+
+  return (
+    <>
+      <Dialog open={isOpen} onOpenChange={onClose}>
+        <DialogContent className="max-w-2xl">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2">
+              <LuPuzzle className="w-5 h-5" />
+              {t("extensions.title")}
+              {limitedMode && <ProBadge />}
+            </DialogTitle>
+            <DialogDescription>{t("extensions.description")}</DialogDescription>
+          </DialogHeader>
+
+          <div className="relative">
+            {limitedMode && (
+              <>
+                <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+                <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+                <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+                <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+                <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+                <div className="absolute inset-0 flex items-center justify-center z-[3]">
+                  <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
+                    <ProBadge />
+                    <span className="text-sm font-medium text-muted-foreground">
+                      {t("extensions.proRequired")}
+                    </span>
+                  </div>
+                </div>
+              </>
+            )}
+
+            <div className="space-y-4">
+              {/* Tab selector */}
+              <div className="flex gap-2 border-b">
+                <button
+                  type="button"
+                  className={`px-3 py-2 text-sm font-medium border-b-2 transition-colors ${
+                    activeTab === "extensions"
+                      ? "border-primary text-foreground"
+                      : "border-transparent text-muted-foreground hover:text-foreground"
+                  }`}
+                  onClick={() => setActiveTab("extensions")}
+                  disabled={limitedMode}
+                >
+                  {t("extensions.extensionsTab")}
+                </button>
+                <button
+                  type="button"
+                  className={`px-3 py-2 text-sm font-medium border-b-2 transition-colors ${
+                    activeTab === "groups"
+                      ? "border-primary text-foreground"
+                      : "border-transparent text-muted-foreground hover:text-foreground"
+                  }`}
+                  onClick={() => setActiveTab("groups")}
+                  disabled={limitedMode}
+                >
+                  {t("extensions.groupsTab")}
+                </button>
+              </div>
+
+              {/* Notice */}
+              <div className="rounded-md bg-muted/50 p-3 text-sm text-muted-foreground">
+                {t("extensions.managedNotice")}
+              </div>
+
+              {activeTab === "extensions" && (
+                <div className="space-y-4">
+                  <div className="flex justify-between items-center">
+                    <Label>{t("extensions.extensionsTab")}</Label>
+                    <div>
+                      <label htmlFor="ext-file-input">
+                        <RippleButton
+                          size="sm"
+                          className="flex gap-2 items-center"
+                          disabled={limitedMode}
+                          onClick={() =>
+                            document.getElementById("ext-file-input")?.click()
+                          }
+                        >
+                          <LuUpload className="w-4 h-4" />
+                          {t("extensions.upload")}
+                        </RippleButton>
+                      </label>
+                      <input
+                        id="ext-file-input"
+                        type="file"
+                        accept=".xpi,.crx,.zip"
+                        className="hidden"
+                        onChange={handleFileSelect}
+                        disabled={limitedMode}
+                      />
+                    </div>
+                  </div>
+
+                  {/* Upload form */}
+                  {showUploadForm && pendingFile && (
+                    <div className="space-y-3 rounded-md border p-3">
+                      <div className="text-sm text-muted-foreground">
+                        {t("extensions.selectedFile")}:{" "}
+                        <span className="font-medium text-foreground">
+                          {pendingFile.name}
+                        </span>
+                      </div>
+                      <div className="flex gap-2">
+                        <Input
+                          value={extensionName}
+                          onChange={(e) => setExtensionName(e.target.value)}
+                          placeholder={t("extensions.namePlaceholder")}
+                          className="flex-1"
+                        />
+                        <RippleButton
+                          size="sm"
+                          onClick={handleUpload}
+                          disabled={isUploading || !extensionName.trim()}
+                        >
+                          {isUploading
+                            ? t("common.buttons.loading")
+                            : t("common.buttons.add")}
+                        </RippleButton>
+                        <Button
+                          size="sm"
+                          variant="outline"
+                          onClick={() => {
+                            setShowUploadForm(false);
+                            setPendingFile(null);
+                            setExtensionName("");
+                          }}
+                        >
+                          {t("common.buttons.cancel")}
+                        </Button>
+                      </div>
+                    </div>
+                  )}
+
+                  {/* Extensions list */}
+                  {isLoading ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("common.buttons.loading")}
+                    </div>
+                  ) : extensions.length === 0 ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("extensions.empty")}
+                    </div>
+                  ) : (
+                    <div className="border rounded-md">
+                      <ScrollArea className="h-[200px]">
+                        <Table>
+                          <TableHeader>
+                            <TableRow>
+                              <TableHead>{t("common.labels.name")}</TableHead>
+                              <TableHead className="w-24">
+                                {t("common.labels.type")}
+                              </TableHead>
+                              <TableHead className="w-32">
+                                {t("extensions.compatibility.label")}
+                              </TableHead>
+                              <TableHead className="w-20">
+                                {t("common.labels.actions")}
+                              </TableHead>
+                            </TableRow>
+                          </TableHeader>
+                          <TableBody>
+                            {extensions.map((ext) => (
+                              <TableRow key={ext.id}>
+                                <TableCell className="font-medium">
+                                  {ext.name}
+                                </TableCell>
+                                <TableCell>
+                                  <Badge variant="outline">
+                                    .{ext.file_type}
+                                  </Badge>
+                                </TableCell>
+                                <TableCell>
+                                  {getCompatibilityBadge(
+                                    ext.browser_compatibility,
+                                  )}
+                                </TableCell>
+                                <TableCell>
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() =>
+                                          setExtensionToDelete(ext)
+                                        }
+                                      >
+                                        <LuTrash2 className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("extensions.delete")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                </TableCell>
+                              </TableRow>
+                            ))}
+                          </TableBody>
+                        </Table>
+                      </ScrollArea>
+                    </div>
+                  )}
+                </div>
+              )}
+
+              {activeTab === "groups" && (
+                <div className="space-y-4">
+                  <div className="flex justify-between items-center">
+                    <Label>{t("extensions.groupsTab")}</Label>
+                    <RippleButton
+                      size="sm"
+                      onClick={() => setShowCreateGroup(true)}
+                      className="flex gap-2 items-center"
+                      disabled={limitedMode}
+                    >
+                      <GoPlus className="w-4 h-4" />
+                      {t("extensions.createGroup")}
+                    </RippleButton>
+                  </div>
+
+                  {/* Create group form */}
+                  {showCreateGroup && (
+                    <div className="flex gap-2 items-center">
+                      <Input
+                        value={newGroupName}
+                        onChange={(e) => setNewGroupName(e.target.value)}
+                        placeholder={t("extensions.groupNamePlaceholder")}
+                        className="flex-1"
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter") void handleCreateGroup();
+                        }}
+                      />
+                      <RippleButton
+                        size="sm"
+                        onClick={handleCreateGroup}
+                        disabled={!newGroupName.trim()}
+                      >
+                        {t("common.buttons.create")}
+                      </RippleButton>
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => {
+                          setShowCreateGroup(false);
+                          setNewGroupName("");
+                        }}
+                      >
+                        {t("common.buttons.cancel")}
+                      </Button>
+                    </div>
+                  )}
+
+                  {/* Groups list */}
+                  {extensionGroups.length === 0 ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("extensions.noGroups")}
+                    </div>
+                  ) : (
+                    <div className="space-y-3">
+                      {extensionGroups.map((group) => (
+                        <div
+                          key={group.id}
+                          className="rounded-md border p-3 space-y-2"
+                        >
+                          <div className="flex justify-between items-center">
+                            {editingGroup?.id === group.id ? (
+                              <div className="flex gap-2 items-center flex-1">
+                                <Input
+                                  value={editGroupName}
+                                  onChange={(e) =>
+                                    setEditGroupName(e.target.value)
+                                  }
+                                  className="flex-1"
+                                  onKeyDown={(e) => {
+                                    if (e.key === "Enter")
+                                      void handleUpdateGroup();
+                                  }}
+                                />
+                                <RippleButton
+                                  size="sm"
+                                  onClick={handleUpdateGroup}
+                                >
+                                  {t("common.buttons.save")}
+                                </RippleButton>
+                                <Button
+                                  size="sm"
+                                  variant="outline"
+                                  onClick={() => setEditingGroup(null)}
+                                >
+                                  {t("common.buttons.cancel")}
+                                </Button>
+                              </div>
+                            ) : (
+                              <>
+                                <span className="font-medium">
+                                  {group.name}
+                                </span>
+                                <div className="flex gap-1">
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() => {
+                                          setEditingGroup(group);
+                                          setEditGroupName(group.name);
+                                        }}
+                                      >
+                                        <LuPencil className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("common.buttons.edit")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() => setGroupToDelete(group)}
+                                      >
+                                        <LuTrash2 className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("extensions.deleteGroup")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                </div>
+                              </>
+                            )}
+                          </div>
+
+                          {/* Extension assignment */}
+                          <div className="space-y-1">
+                            {group.extension_ids.length > 0 && (
+                              <div className="flex flex-wrap gap-1">
+                                {group.extension_ids.map((extId) => {
+                                  const ext = extensions.find(
+                                    (e) => e.id === extId,
+                                  );
+                                  if (!ext) return null;
+                                  return (
+                                    <Badge
+                                      key={extId}
+                                      variant="secondary"
+                                      className="flex items-center gap-1"
+                                    >
+                                      {ext.name}
+                                      <button
+                                        type="button"
+                                        className="ml-1 hover:text-destructive"
+                                        onClick={() =>
+                                          handleRemoveFromGroup(group.id, extId)
+                                        }
+                                      >
+                                        ×
+                                      </button>
+                                    </Badge>
+                                  );
+                                })}
+                              </div>
+                            )}
+                            {extensions.filter(
+                              (e) => !group.extension_ids.includes(e.id),
+                            ).length > 0 && (
+                              <Select
+                                value=""
+                                onValueChange={(extId) =>
+                                  handleAddToGroup(group.id, extId)
+                                }
+                              >
+                                <SelectTrigger className="h-8 text-xs">
+                                  <SelectValue
+                                    placeholder={t("extensions.addToGroup")}
+                                  />
+                                </SelectTrigger>
+                                <SelectContent>
+                                  {extensions
+                                    .filter(
+                                      (e) =>
+                                        !group.extension_ids.includes(e.id),
+                                    )
+                                    .map((ext) => (
+                                      <SelectItem key={ext.id} value={ext.id}>
+                                        {ext.name} (.{ext.file_type})
+                                      </SelectItem>
+                                    ))}
+                                </SelectContent>
+                              </Select>
+                            )}
+                          </div>
+                        </div>
+                      ))}
+                    </div>
+                  )}
+                </div>
+              )}
+            </div>
+          </div>
+
+          <DialogFooter>
+            <RippleButton variant="outline" onClick={onClose}>
+              {t("common.buttons.close")}
+            </RippleButton>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* Delete extension confirmation */}
+      <DeleteConfirmationDialog
+        isOpen={extensionToDelete !== null}
+        onClose={() => setExtensionToDelete(null)}
+        onConfirm={handleDeleteExtension}
+        title={t("extensions.deleteConfirmTitle")}
+        description={t("extensions.deleteConfirmDescription", {
+          name: extensionToDelete?.name ?? "",
+        })}
+        isLoading={isDeleting}
+      />
+
+      {/* Delete group confirmation */}
+      <DeleteConfirmationDialog
+        isOpen={groupToDelete !== null}
+        onClose={() => setGroupToDelete(null)}
+        onConfirm={handleDeleteGroup}
+        title={t("extensions.deleteGroupConfirmTitle")}
+        description={t("extensions.deleteGroupConfirmDescription", {
+          name: groupToDelete?.name ?? "",
+        })}
+        isLoading={isDeleting}
+      />
+    </>
+  );
+}
@@ -2,7 +2,14 @@ import { useTranslation } from "react-i18next";
 import { FaDownload } from "react-icons/fa";
 import { FiWifi } from "react-icons/fi";
 import { GoGear, GoKebabHorizontal, GoPlus } from "react-icons/go";
-import { LuCloud, LuPlug, LuSearch, LuUsers, LuX } from "react-icons/lu";
+import {
+  LuCloud,
+  LuPlug,
+  LuPuzzle,
+  LuSearch,
+  LuUsers,
+  LuX,
+} from "react-icons/lu";
 import { Logo } from "./icons/logo";
 import { Button } from "./ui/button";
 import { CardTitle } from "./ui/card";
@@ -23,6 +30,7 @@ type Props = {
  onCreateProfileDialogOpen: (open: boolean) => void;
  onSyncConfigDialogOpen: (open: boolean) => void;
  onIntegrationsDialogOpen: (open: boolean) => void;
+  onExtensionManagementDialogOpen: (open: boolean) => void;
  searchQuery: string;
  onSearchQueryChange: (query: string) => void;
 };
@@ -35,6 +43,7 @@ const HomeHeader = ({
  onCreateProfileDialogOpen,
  onSyncConfigDialogOpen,
  onIntegrationsDialogOpen,
+  onExtensionManagementDialogOpen,
  searchQuery,
  onSearchQueryChange,
 }: Props) => {
@@ -124,6 +133,14 @@ const HomeHeader = ({
              <LuUsers className="mr-2 w-4 h-4" />
              {t("header.menu.groups")}
            </DropdownMenuItem>
+            <DropdownMenuItem
+              onClick={() => {
+                onExtensionManagementDialogOpen(true);
+              }}
+            >
+              <LuPuzzle className="mr-2 w-4 h-4" />
+              {t("header.menu.extensions")}
+            </DropdownMenuItem>
            <DropdownMenuItem
              onClick={() => {
                onSyncConfigDialogOpen(true);
--- a/Show More
+++ b/Show More